ctblocker | 2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72

General

Target

2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe
Size

692KB
MD5

eef1051839abf0ad0cbe49488617672f
SHA1

d8d42dc918225d20b3388a056fe503f4d5524074
SHA256

2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72
SHA512

a7eedc50cfa5bba76ffc7ce41f14b32687080b8842e94de949ff6288bedafc4a57f0f386f984e3dcf7191290879677d28c17e0652f0e14adf6a43b1e78efb9db
SSDEEP

12288:VQiHYh6UeeLrQp0/XoU8bTRsdi9JSZPLGhX9H1QO7l4n2A1muOhsXL:dQ6UeeLkMB8bTRskSjeXh+Ok7OhY

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-eobbgfm.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. SADHTVG-IPYHZO6-ODQMDUK-ZE6GPEN-FXDEBLO-YJM2SWQ-YOTQJG4-R3KHPCM TV72XVC-WMN4RX4-YFR66AQ-RV5TMD2-C42KSYC-NIKFLLR-S2P4NWQ-XAFA6NI OOETYG4-XWIXE7M-YPSTHH4-XZ2RTMX-WHIAKVA-Q3TDPWR-LM234AR-O7ADDOM Follow the instructions on the server.

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker

Executes dropped EXE 2 IoCs

pid	Process
1076	pojdjsb.exe
1780	pojdjsb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 892 set thread context of 336	892	2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe	28
PID 1076 set thread context of 1780	1076	pojdjsb.exe	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-eobbgfm.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-eobbgfm.bmp	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
336	2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe
1780	pojdjsb.exe
1780	pojdjsb.exe
1780	pojdjsb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	pojdjsb.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 336	892	2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe	28
PID 892 wrote to memory of 336	892	2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe	28
PID 892 wrote to memory of 336	892	2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe	28
PID 892 wrote to memory of 336	892	2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe	28
PID 892 wrote to memory of 336	892	2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe	28
PID 892 wrote to memory of 336	892	2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe	28
PID 892 wrote to memory of 336	892	2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe	28
PID 1660 wrote to memory of 1076	1660	taskeng.exe	30
PID 1660 wrote to memory of 1076	1660	taskeng.exe	30
PID 1660 wrote to memory of 1076	1660	taskeng.exe	30
PID 1660 wrote to memory of 1076	1660	taskeng.exe	30
PID 1076 wrote to memory of 1780	1076	pojdjsb.exe	31
PID 1076 wrote to memory of 1780	1076	pojdjsb.exe	31
PID 1076 wrote to memory of 1780	1076	pojdjsb.exe	31
PID 1076 wrote to memory of 1780	1076	pojdjsb.exe	31
PID 1076 wrote to memory of 1780	1076	pojdjsb.exe	31
PID 1076 wrote to memory of 1780	1076	pojdjsb.exe	31
PID 1076 wrote to memory of 1780	1076	pojdjsb.exe	31
PID 1780 wrote to memory of 600	1780	pojdjsb.exe	26

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops file in Program Files directory
PID:600

C:\Users\Admin\AppData\Local\Temp\2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe
"C:\Users\Admin\AppData\Local\Temp\2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe
  "C:\Users\Admin\AppData\Local\Temp\2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:336

C:\Windows\system32\taskeng.exe
taskeng.exe {EEB6C6CD-2FBC-45AA-AC6E-4B26806A3B35} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe
  C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe
    "C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\upjjgia

Filesize
654B

MD5
28da8b630b86c543a879f0fcdd1ce547

SHA1
2927abf63f194eafd85968663951d87a7996b675

SHA256
ec6f6e40f60d24e072bc34f9ba4448b8765d1c05135a1245f677c428fb6f5b92

SHA512
3de782c76ecd4ace188651c2884e3534624eb5e11f115e6e69db4ba9bf5f48b1046cbff46ca6e70d030bba0fced957d786ca2e4bf115b1cbc15e7f2cca154d88

Download Submit
C:\ProgramData\Package Cache\upjjgia

Filesize
654B

MD5
dee5267149404ed8c305f27c5977fc91

SHA1
227d75c6168f4e1c263f671aeeca2ca8b2027dab

SHA256
d6c0e29c6ccd48598e09784b7c926d9b7decaa12cac864c993d6b9745ba749b2

SHA512
f5663eac53a6e66f98e8b17786dc08c423ad959fd80970490214d253d0a3d26d317117cd03640123c36a9fad7b2dfacfe4db16fa42c57985a0d047cabba9115d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe

Filesize
692KB

MD5
eef1051839abf0ad0cbe49488617672f

SHA1
d8d42dc918225d20b3388a056fe503f4d5524074

SHA256
2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72

SHA512
a7eedc50cfa5bba76ffc7ce41f14b32687080b8842e94de949ff6288bedafc4a57f0f386f984e3dcf7191290879677d28c17e0652f0e14adf6a43b1e78efb9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe

Filesize
692KB

MD5
eef1051839abf0ad0cbe49488617672f

SHA1
d8d42dc918225d20b3388a056fe503f4d5524074

SHA256
2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72

SHA512
a7eedc50cfa5bba76ffc7ce41f14b32687080b8842e94de949ff6288bedafc4a57f0f386f984e3dcf7191290879677d28c17e0652f0e14adf6a43b1e78efb9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\pojdjsb.exe

Filesize
692KB

MD5
eef1051839abf0ad0cbe49488617672f

SHA1
d8d42dc918225d20b3388a056fe503f4d5524074

SHA256
2419cf3833207c8e84a162a7ae0094982e8120cb0c242982ed848034998b4e72

SHA512
a7eedc50cfa5bba76ffc7ce41f14b32687080b8842e94de949ff6288bedafc4a57f0f386f984e3dcf7191290879677d28c17e0652f0e14adf6a43b1e78efb9db

Download Submit
memory/336-65-0x0000000000870000-0x0000000000ABB000-memory.dmp

Filesize
2.3MB

Download
memory/336-63-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/336-64-0x0000000000401000-0x00000000004A5000-memory.dmp

Filesize
656KB

Download
memory/336-54-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/336-62-0x0000000000650000-0x000000000086A000-memory.dmp

Filesize
2.1MB

Download
memory/336-55-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/336-61-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/336-57-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/600-81-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/600-83-0x0000000000520000-0x0000000000597000-memory.dmp

Filesize
476KB

Download
memory/1780-80-0x0000000000800000-0x0000000000A4B000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing