ctblocker | 748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

General

Target

748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe
Size

654KB
MD5

9cd4cebf8b04cd6864b59e4c0cf4aafa
SHA1

2287faa3026c5981f3796268112998ac1c06c5d3
SHA256

748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7
SHA512

03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d
SSDEEP

12288:MkzXMinmtrfsNG9USY7x3lgSsIXlYlOHls2E/qZaTcMUJnGHqsvXX1tfLs:LjArfCG+nN3aNIXNFZ5R1GHqsvDI

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-otdblmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. O4ISHRJ-ABJLJGF-J4XJWRM-ZQ2QKSI-RGVONHD-JZTBNSL-6S3QSCY-H6IYIYO ODI6J2U-M4X4HRR-KHN52EW-XDZDWPZ-CKQQ7PF-4TIL2SS-V6H74RI-QSMOJRD QDN3P76-5C3XDAU-URNFY5T-JMN4OG3-MJEUJXA-MU2DUP4-2YOJIGK-ARHSATB Follow the instructions on the server.

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-otdblmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. O4ISHRJ-ABJLJGF-J4XJWRM-ZQ2QKSI-RGVONHD-JZTBNSL-6S3QSCY-H6IYIYO ODI6J2U-M4X4HRR-KHN52EW-XDZDWPZ-CKQQ7PF-4TIL2SS-V6H74RI-QSMOJRD QDN3P76-5C3XDAU-URNFY5T-JMN4OG3-MJEURFA-SB2DUP4-2YOJIGK-ARHSDOA Follow the instructions on the server.

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1480	pcrcyge.exe
1620	pcrcyge.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExpandWrite.CRW.otdblmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\WaitHide.CRW.otdblmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SwitchTrace.RAW.otdblmn	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	pcrcyge.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-otdblmn.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-otdblmn.bmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-otdblmn.txt	svchost.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
664	vssadmin.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061003200380062003200320034002d0031006100380032002d0031003100650064002d0062003900380066002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1504	748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe
1480	pcrcyge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1376	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1480	pcrcyge.exe
Token: SeDebugPrivilege	1480	pcrcyge.exe
Token: SeShutdownPrivilege	1376	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1620	pcrcyge.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1620	pcrcyge.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1376	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1480	1932	taskeng.exe	29
PID 1932 wrote to memory of 1480	1932	taskeng.exe	29
PID 1932 wrote to memory of 1480	1932	taskeng.exe	29
PID 1932 wrote to memory of 1480	1932	taskeng.exe	29
PID 1480 wrote to memory of 592	1480	pcrcyge.exe	27
PID 592 wrote to memory of 1276	592	svchost.exe	30
PID 592 wrote to memory of 1276	592	svchost.exe	30
PID 592 wrote to memory of 1276	592	svchost.exe	30
PID 1480 wrote to memory of 1376	1480	pcrcyge.exe	16
PID 1480 wrote to memory of 664	1480	pcrcyge.exe	31
PID 1480 wrote to memory of 664	1480	pcrcyge.exe	31
PID 1480 wrote to memory of 664	1480	pcrcyge.exe	31
PID 1480 wrote to memory of 664	1480	pcrcyge.exe	31
PID 1480 wrote to memory of 1620	1480	pcrcyge.exe	33
PID 1480 wrote to memory of 1620	1480	pcrcyge.exe	33
PID 1480 wrote to memory of 1620	1480	pcrcyge.exe	33
PID 1480 wrote to memory of 1620	1480	pcrcyge.exe	33

C:\Users\Admin\AppData\Local\Temp\748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe
"C:\Users\Admin\AppData\Local\Temp\748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1276

C:\Windows\system32\taskeng.exe
taskeng.exe {8002E135-FD15-43EE-BE4B-0B5F9CF1A386} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
  C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - Interacts with shadow copies
    PID:664
- - C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
    "C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe" -u
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\aubdarb

Filesize
654B

MD5
9532089cb290ea11677b6ead4f7336e5

SHA1
7be5e6b65c923f1fab88fbc17e1225b15c50239f

SHA256
a589bd6ad29b242a90fc945c06fd44ff4cec87ac9afad58928377aef380741ef

SHA512
108ad29fc0099988e3ebdc8a06e442ad673580f502c768e6121c0b81ce68b340639d9f090fec683f6712944b3e744c71b4b39ab89f49bb3548c0d029725331e0

Download Submit
C:\ProgramData\Microsoft\aubdarb

Filesize
654B

MD5
9532089cb290ea11677b6ead4f7336e5

SHA1
7be5e6b65c923f1fab88fbc17e1225b15c50239f

SHA256
a589bd6ad29b242a90fc945c06fd44ff4cec87ac9afad58928377aef380741ef

SHA512
108ad29fc0099988e3ebdc8a06e442ad673580f502c768e6121c0b81ce68b340639d9f090fec683f6712944b3e744c71b4b39ab89f49bb3548c0d029725331e0

Download Submit
C:\ProgramData\Microsoft\aubdarb

Filesize
654B

MD5
d1fafd2a431314b1efd09a1d30c2b117

SHA1
d50961d62785e06fc4eb360ccee0d6d5ed50e87b

SHA256
551eea0f367f34607c3550a3501d965ae2a98163541bd474ab1bbf64a6669058

SHA512
0c66f4f23dccb7ca09e12e40d6d25a2f7c54e4aa92f9bea9fc44c54c109f5d1ef75751202fa5c8679d37994e84b38dbfdb092d5bd04f575218fe6baa828be33c

Download Submit
C:\ProgramData\Microsoft\aubdarb

Filesize
654B

MD5
2375cf93c2cd01b42dc1bad65d319cf0

SHA1
03e3f97ed34e6a6037cdc8a33b471009e6fb005a

SHA256
933f8d6accced00fb42cb9449ded08867c076da16d185c5dc5fe6233a329cb34

SHA512
205ddf2b2a7f44f10068688028a237a8b8d1bd44106b52b332002c68dbe5b1b898833f84d7f1960a1ede73aafd7351a4a725bd76cd7c7e4d74559bc176a06ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe

Filesize
654KB

MD5
9cd4cebf8b04cd6864b59e4c0cf4aafa

SHA1
2287faa3026c5981f3796268112998ac1c06c5d3

SHA256
748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

SHA512
03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe

Filesize
654KB

MD5
9cd4cebf8b04cd6864b59e4c0cf4aafa

SHA1
2287faa3026c5981f3796268112998ac1c06c5d3

SHA256
748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

SHA512
03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe

Filesize
654KB

MD5
9cd4cebf8b04cd6864b59e4c0cf4aafa

SHA1
2287faa3026c5981f3796268112998ac1c06c5d3

SHA256
748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

SHA512
03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d

Download Submit
memory/592-69-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download
memory/592-65-0x0000000000110000-0x0000000000187000-memory.dmp

Filesize
476KB

Download
memory/592-63-0x0000000000110000-0x0000000000187000-memory.dmp

Filesize
476KB

Download
memory/1480-62-0x00000000007A0000-0x00000000009EB000-memory.dmp

Filesize
2.3MB

Download
memory/1504-54-0x0000000000950000-0x0000000000B6A000-memory.dmp

Filesize
2.1MB

Download
memory/1504-56-0x0000000000B70000-0x0000000000DBB000-memory.dmp

Filesize
2.3MB

Download
memory/1504-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1620-80-0x0000000000880000-0x0000000000ACB000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads