ctblocker | 995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22

General

Target

f24e6374518fa7aed3d24a064a03bd23.exe
Size

654KB
MD5

f24e6374518fa7aed3d24a064a03bd23
SHA1

d0ffebdb6e5f97c2842d5578f889345b88224d5c
SHA256

995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22
SHA512

de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484
SSDEEP

12288:MkzXMinmtrfsNG9USY7x3lgSsIXlYlOHls2E/qZaTcMUJnGHqsvXX1tfLs:LjArfCG+nN3aNIXNFZ5R1GHqsvDI

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\ProgramData\onfckwn.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://kph3onblkthy4z37.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cnlrkum.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\International\Geo\Nation	cnlrkum.exe

Executes dropped EXE 2 IoCs

Processes:

cnlrkum.execnlrkum.exe

pid process

2004 cnlrkum.exe
2392 cnlrkum.exe

pid	process
2004	cnlrkum.exe
2392	cnlrkum.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

File opened (read-only) \??\F: svchost.exe

description	ioc	process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

cnlrkum.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	cnlrkum.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-aeixhuk.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-aeixhuk.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-aeixhuk.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3032 vssadmin.exe

pid	process
3032	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

cnlrkum.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main	cnlrkum.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	cnlrkum.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	cnlrkum.exe

Modifies data under HKEY_USERS 23 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{04cf7581-9b5e-11ee-8e10-ce9b5d0c5de4}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{22bbcac4-9b9c-11ee-882b-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{22bbcac4-9b9c-11ee-882b-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{22bbcac4-9b9c-11ee-882b-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{04cf7581-9b5e-11ee-8e10-ce9b5d0c5de4}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{04cf7581-9b5e-11ee-8e10-ce9b5d0c5de4}\MaxCapacity = "2047"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00320032006200620063006100630034002d0039006200390063002d0031003100650065002d0038003800320062002d003800300036006500360066003600650036003900360033007d00000030002c007b00300034006300660037003500380031002d0039006200350065002d0031003100650065002d0038006500310030002d006300650039006200350064003000630035006400650034007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

f24e6374518fa7aed3d24a064a03bd23.execnlrkum.exe

pid process

2408 f24e6374518fa7aed3d24a064a03bd23.exe
2004 cnlrkum.exe
2004 cnlrkum.exe
2004 cnlrkum.exe
2004 cnlrkum.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cnlrkum.exe

description pid process

Token: SeDebugPrivilege 2004 cnlrkum.exe
Token: SeDebugPrivilege 2004 cnlrkum.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cnlrkum.exe

pid process

2392 cnlrkum.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

cnlrkum.exe

pid process

2392 cnlrkum.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

cnlrkum.exe

pid process

2392 cnlrkum.exe
2392 cnlrkum.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE

pid	process
2408	f24e6374518fa7aed3d24a064a03bd23.exe
2004	cnlrkum.exe
2004	cnlrkum.exe
2004	cnlrkum.exe
2004	cnlrkum.exe

description	pid	process
Token: SeDebugPrivilege	2004	cnlrkum.exe
Token: SeDebugPrivilege	2004	cnlrkum.exe

pid	process
2392	cnlrkum.exe

pid	process
2392	cnlrkum.exe

pid	process
2392	cnlrkum.exe
2392	cnlrkum.exe

pid	process
1252	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

taskeng.execnlrkum.exesvchost.exe

description	pid	process	target process
PID 1900 wrote to memory of 2004	1900	taskeng.exe	cnlrkum.exe
PID 1900 wrote to memory of 2004	1900	taskeng.exe	cnlrkum.exe
PID 1900 wrote to memory of 2004	1900	taskeng.exe	cnlrkum.exe
PID 1900 wrote to memory of 2004	1900	taskeng.exe	cnlrkum.exe
PID 2004 wrote to memory of 600	2004	cnlrkum.exe	svchost.exe
PID 600 wrote to memory of 2876	600	svchost.exe	wmiprvse.exe
PID 600 wrote to memory of 2876	600	svchost.exe	wmiprvse.exe
PID 600 wrote to memory of 2876	600	svchost.exe	wmiprvse.exe
PID 600 wrote to memory of 2080	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 2080	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 2080	600	svchost.exe	DllHost.exe
PID 2004 wrote to memory of 1252	2004	cnlrkum.exe	Explorer.EXE
PID 2004 wrote to memory of 3032	2004	cnlrkum.exe	vssadmin.exe
PID 2004 wrote to memory of 3032	2004	cnlrkum.exe	vssadmin.exe
PID 2004 wrote to memory of 3032	2004	cnlrkum.exe	vssadmin.exe
PID 2004 wrote to memory of 3032	2004	cnlrkum.exe	vssadmin.exe
PID 2004 wrote to memory of 2392	2004	cnlrkum.exe	cnlrkum.exe
PID 2004 wrote to memory of 2392	2004	cnlrkum.exe	cnlrkum.exe
PID 2004 wrote to memory of 2392	2004	cnlrkum.exe	cnlrkum.exe
PID 2004 wrote to memory of 2392	2004	cnlrkum.exe	cnlrkum.exe
PID 600 wrote to memory of 2444	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 2444	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 2444	600	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of UnmapMainImage
PID:1252
- C:\Users\Admin\AppData\Local\Temp\f24e6374518fa7aed3d24a064a03bd23.exe
  "C:\Users\Admin\AppData\Local\Temp\f24e6374518fa7aed3d24a064a03bd23.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:600
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  2⤵
  PID:2876
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:2080
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2444

C:\Windows\system32\taskeng.exe
taskeng.exe {DF4E910B-4F58-4B05-9D5D-B29086152FE0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\cnlrkum.exe
  C:\Users\Admin\AppData\Local\Temp\cnlrkum.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - Interacts with shadow copies
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\cnlrkum.exe
    "C:\Users\Admin\AppData\Local\Temp\cnlrkum.exe" -u
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\btbhnal

Filesize
654B

MD5
ee130902362b35081cd720685ddd004f

SHA1
4e527c3e392e78b11f402dff1ab8c83098b595a6

SHA256
6c572f6274e915b9304be70b50d571cf95f2a3f29ba8db91a25b85c0fad94b73

SHA512
f75dbb016f06f668872cdba91614da8ee665e374bfce4ea4675c0af51860913257cb58cce2ffe69dc69a9cb019dd6fc2e12d856b135abeb395e42ab6a64e3d2f

Download Submit
C:\ProgramData\Package Cache\btbhnal

Filesize
654B

MD5
4de1f41b4ca50c76971d4bdab21a8726

SHA1
4d38135aa963eceee12d3a1089d4ba96607448da

SHA256
59f099537a57043746de46beb05b6c4ca7d206f15b05e1be58f10523fc704d24

SHA512
f0d99b2682d78b9e95bb127c88f3d862ae1f965929f9e3bc055d63d6cf119f853bb6f79dd919561e59a6503353f0eaa78fa16928a6ae16979971aeb04c99a527

Download Submit
C:\ProgramData\Package Cache\btbhnal

Filesize
654B

MD5
fed9acb5ec416adaa21a4b3f9498d2a5

SHA1
9e4c707627fc868cba23c3e59d28b992feb9eef4

SHA256
3db4fa2bae8686c7dee5a5db962c930aca46e2cea09bca74887e8f30da569d63

SHA512
bc92d4de8685ce42e3f4b5807d5ae842602bbd1cb7d00deba8e358d64274b70416738e03301617b8bd6bcc7b36e68aff50d0eb98b2e19591b6fbe1a4de014fdb

Download Submit
C:\ProgramData\onfckwn.html

Filesize
62KB

MD5
ba24006ced7ee472b36b01089eb2fdc0

SHA1
cf269fe39ad5a774fdb67f5c3b0792fa5aca6523

SHA256
680ed083897e629471a5f66addf871c3b0c964223cac2da644494e5da37989b7

SHA512
40b780e157f77beec2104fda0128673964d36f159ee4f295d38c97fb9a40cc6c182668f8b56609b33ad0dc71b8ddef9d2e28f8c7008f5785b02db98a781b9680

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnlrkum.exe

Filesize
654KB

MD5
f24e6374518fa7aed3d24a064a03bd23

SHA1
d0ffebdb6e5f97c2842d5578f889345b88224d5c

SHA256
995944ed13ab4ff7f88fa268bb0c29b23ff762f4329730fd056dcac5e27f9d22

SHA512
de8c3f80802c06bc85dc1605aae39e981e46861820fd2e2b87eca28febcafc26513ac562d8c133799ab18ffe7c752b45cd3e1fbf6c539e9db9fd45686fa1c484

Download Submit
F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/600-10-0x00000000004C0000-0x0000000000537000-memory.dmp

Filesize
476KB

Download
memory/600-9-0x00000000004C0000-0x0000000000537000-memory.dmp

Filesize
476KB

Download
memory/600-20-0x00000000004C0000-0x0000000000537000-memory.dmp

Filesize
476KB

Download
memory/600-18-0x00000000004C0000-0x0000000000537000-memory.dmp

Filesize
476KB

Download
memory/600-16-0x00000000004C0000-0x0000000000537000-memory.dmp

Filesize
476KB

Download
memory/600-12-0x00000000004C0000-0x0000000000537000-memory.dmp

Filesize
476KB

Download
memory/600-186-0x00000000004C0000-0x0000000000537000-memory.dmp

Filesize
476KB

Download
memory/600-1210-0x00000000004C0000-0x0000000000537000-memory.dmp

Filesize
476KB

Download
memory/600-13-0x00000000004C0000-0x0000000000537000-memory.dmp

Filesize
476KB

Download
memory/2004-1222-0x0000000000A10000-0x0000000000C5B000-memory.dmp

Filesize
2.3MB

Download
memory/2004-6-0x0000000000A10000-0x0000000000C5B000-memory.dmp

Filesize
2.3MB

Download
memory/2392-1235-0x0000000000690000-0x00000000008DB000-memory.dmp

Filesize
2.3MB

Download
memory/2392-1236-0x0000000000690000-0x00000000008DB000-memory.dmp

Filesize
2.3MB

Download
memory/2392-1237-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2392-1239-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2408-0-0x0000000000560000-0x000000000077A000-memory.dmp

Filesize
2.1MB

Download
memory/2408-1-0x00000000008B0000-0x0000000000AFB000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads