ctblocker | 1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

General

Target

1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
Size

890KB
MD5

edeb5dea8ad10ae0102a5888991036b9
SHA1

8ba3ed9ab88b8fd8c77ede0f304deeec8cef843d
SHA256

1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3
SHA512

7bc2c3ffa882abf8b45cdd4df0677aee2495c453b3fcfc486a5321ff14b62cce35566efce579f5773164cdc55d39e9e97fa57833b337d1e7def888d13838cecd
SSDEEP

12288:3GjEJ5DY3YJW1QNCfFKVIm3vLZabIIsOihKlz3wp0dN2ZENtLfiIPDtOkYl9a:xn9HI8Ebdihs3K0HPN57PxOM

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-hlvcmzk.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. R2HPKKL-RM3B73W-FI4AY6W-2ZEPRWW-NXAJDZY-357DNAX-HCMW7OR-GS66KWL OHIMIT4-PK2X6VR-MTVAJC6-PQHGIMV-FQQHCWL-ZV7QKEQ-X74O462-A3AXDNA TE7RYK2-U5WKYTG-CSIPTN4-J764WVY-RFGNQSH-WB52JIX-VPBVVPQ-WN4LJQK Follow the instructions on the server.

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker

Executes dropped EXE 2 IoCs

pid	Process
836	vhbumzm.exe
776	vhbumzm.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 1328	1776	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	28
PID 836 set thread context of 776	836	vhbumzm.exe	31

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-hlvcmzk.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-hlvcmzk.bmp	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1328	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
776	vhbumzm.exe
776	vhbumzm.exe
776	vhbumzm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	776	vhbumzm.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1328	1776	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	28
PID 1776 wrote to memory of 1328	1776	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	28
PID 1776 wrote to memory of 1328	1776	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	28
PID 1776 wrote to memory of 1328	1776	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	28
PID 1776 wrote to memory of 1328	1776	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	28
PID 1776 wrote to memory of 1328	1776	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	28
PID 1776 wrote to memory of 1328	1776	1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe	28
PID 1116 wrote to memory of 836	1116	taskeng.exe	30
PID 1116 wrote to memory of 836	1116	taskeng.exe	30
PID 1116 wrote to memory of 836	1116	taskeng.exe	30
PID 1116 wrote to memory of 836	1116	taskeng.exe	30
PID 836 wrote to memory of 776	836	vhbumzm.exe	31
PID 836 wrote to memory of 776	836	vhbumzm.exe	31
PID 836 wrote to memory of 776	836	vhbumzm.exe	31
PID 836 wrote to memory of 776	836	vhbumzm.exe	31
PID 836 wrote to memory of 776	836	vhbumzm.exe	31
PID 836 wrote to memory of 776	836	vhbumzm.exe	31
PID 836 wrote to memory of 776	836	vhbumzm.exe	31
PID 776 wrote to memory of 596	776	vhbumzm.exe	19

C:\Users\Admin\AppData\Local\Temp\1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
"C:\Users\Admin\AppData\Local\Temp\1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
  C:\Users\Admin\AppData\Local\Temp\1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops file in Program Files directory
PID:596

C:\Windows\system32\taskeng.exe
taskeng.exe {7236723C-1B28-48D2-A1A1-2B43A4EB8CB5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
  C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
    C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla\jbnjrvg

Filesize
654B

MD5
7663822e0f44d826e6aa81807d57bda5

SHA1
00d673150a1c42a46b0e6e5b3e35fa1a5aa8ac87

SHA256
23a5334a26d4386e632cf73ba47040ca36f65dc480f2480c1861922e5120f0ce

SHA512
15ceb8bf9e61420da17d9349ea763393332a06b61eff6135953ecaaba5746c6c6e66ebcb8ce6970f4097e2e91e3f4f69230ec237c52bbcca5605d927db8c1509

Download Submit
C:\ProgramData\Mozilla\jbnjrvg

Filesize
654B

MD5
7663822e0f44d826e6aa81807d57bda5

SHA1
00d673150a1c42a46b0e6e5b3e35fa1a5aa8ac87

SHA256
23a5334a26d4386e632cf73ba47040ca36f65dc480f2480c1861922e5120f0ce

SHA512
15ceb8bf9e61420da17d9349ea763393332a06b61eff6135953ecaaba5746c6c6e66ebcb8ce6970f4097e2e91e3f4f69230ec237c52bbcca5605d927db8c1509

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe

Filesize
890KB

MD5
edeb5dea8ad10ae0102a5888991036b9

SHA1
8ba3ed9ab88b8fd8c77ede0f304deeec8cef843d

SHA256
1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

SHA512
7bc2c3ffa882abf8b45cdd4df0677aee2495c453b3fcfc486a5321ff14b62cce35566efce579f5773164cdc55d39e9e97fa57833b337d1e7def888d13838cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe

Filesize
890KB

MD5
edeb5dea8ad10ae0102a5888991036b9

SHA1
8ba3ed9ab88b8fd8c77ede0f304deeec8cef843d

SHA256
1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

SHA512
7bc2c3ffa882abf8b45cdd4df0677aee2495c453b3fcfc486a5321ff14b62cce35566efce579f5773164cdc55d39e9e97fa57833b337d1e7def888d13838cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhbumzm.exe

Filesize
890KB

MD5
edeb5dea8ad10ae0102a5888991036b9

SHA1
8ba3ed9ab88b8fd8c77ede0f304deeec8cef843d

SHA256
1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

SHA512
7bc2c3ffa882abf8b45cdd4df0677aee2495c453b3fcfc486a5321ff14b62cce35566efce579f5773164cdc55d39e9e97fa57833b337d1e7def888d13838cecd

Download Submit
memory/596-71-0x0000000000610000-0x0000000000687000-memory.dmp

Filesize
476KB

Download
memory/596-73-0x0000000000610000-0x0000000000687000-memory.dmp

Filesize
476KB

Download
memory/776-70-0x0000000000890000-0x0000000000ADB000-memory.dmp

Filesize
2.3MB

Download
memory/1328-60-0x0000000000C30000-0x0000000000E7B000-memory.dmp

Filesize
2.3MB

Download
memory/1328-59-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/1328-58-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1328-54-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1328-57-0x0000000000A10000-0x0000000000C2A000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing