ctblocker | 597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674

General

Target

VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
Size

662KB
MD5

a5d0e995d43232bd4b3d73f8899b7ef0
SHA1

46e06085c542f69ca2a78bba9f4eaa0ad77b1713
SHA256

597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674
SHA512

c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb
SSDEEP

12288:vKPvdIQ/slCcdrN8VfeP/hUmQ2jqh+aCKpQKEskUjeWhjZrwPqQRc:a6OslWVfeP/s2j8+aCGHFZnOc

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\ProgramData\ulbiyui.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wknrxte.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\International\Geo\Nation	wknrxte.exe

Executes dropped EXE 2 IoCs

Processes:

wknrxte.exewknrxte.exe

pid process

2396 wknrxte.exe
2916 wknrxte.exe

pid	process
2396	wknrxte.exe
2916	wknrxte.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

File opened (read-only) \??\F: svchost.exe

description	ioc	process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

wknrxte.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wknrxte.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-pdtujmm.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pdtujmm.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pdtujmm.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1920 vssadmin.exe

pid	process
1920	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

wknrxte.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main	wknrxte.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	wknrxte.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	wknrxte.exe

Modifies data under HKEY_USERS 22 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{351d1101-9b6a-11ee-8f37-ce9b5d0c5de4}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8c41d644-9ba8-11ee-a7cd-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{351d1101-9b6a-11ee-8f37-ce9b5d0c5de4}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{351d1101-9b6a-11ee-8f37-ce9b5d0c5de4}\MaxCapacity = "2047"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00380063003400310064003600340034002d0039006200610038002d0031003100650065002d0061003700630064002d003800300036006500360066003600650036003900360033007d00000030002c007b00330035003100640031003100300031002d0039006200360061002d0031003100650065002d0038006600330037002d006300650039006200350064003000630035006400650034007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8c41d644-9ba8-11ee-a7cd-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8c41d644-9ba8-11ee-a7cd-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exewknrxte.exewknrxte.exe

pid	process
1712	VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
2396	wknrxte.exe
2396	wknrxte.exe
2396	wknrxte.exe
2396	wknrxte.exe
2916	wknrxte.exe
2916	wknrxte.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wknrxte.exe

description pid process

Token: SeDebugPrivilege 2396 wknrxte.exe
Token: SeDebugPrivilege 2396 wknrxte.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wknrxte.exe

pid process

2916 wknrxte.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

wknrxte.exe

pid process

2916 wknrxte.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wknrxte.exe

pid process

2916 wknrxte.exe
2916 wknrxte.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2396	wknrxte.exe
Token: SeDebugPrivilege	2396	wknrxte.exe

pid	process
2916	wknrxte.exe

pid	process
2916	wknrxte.exe

pid	process
2916	wknrxte.exe
2916	wknrxte.exe

pid	process
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

taskeng.exewknrxte.exesvchost.exe

description	pid	process	target process
PID 1208 wrote to memory of 2396	1208	taskeng.exe	wknrxte.exe
PID 1208 wrote to memory of 2396	1208	taskeng.exe	wknrxte.exe
PID 1208 wrote to memory of 2396	1208	taskeng.exe	wknrxte.exe
PID 1208 wrote to memory of 2396	1208	taskeng.exe	wknrxte.exe
PID 2396 wrote to memory of 608	2396	wknrxte.exe	svchost.exe
PID 608 wrote to memory of 2656	608	svchost.exe	DllHost.exe
PID 608 wrote to memory of 2656	608	svchost.exe	DllHost.exe
PID 608 wrote to memory of 2656	608	svchost.exe	DllHost.exe
PID 2396 wrote to memory of 1264	2396	wknrxte.exe	Explorer.EXE
PID 2396 wrote to memory of 1920	2396	wknrxte.exe	vssadmin.exe
PID 2396 wrote to memory of 1920	2396	wknrxte.exe	vssadmin.exe
PID 2396 wrote to memory of 1920	2396	wknrxte.exe	vssadmin.exe
PID 2396 wrote to memory of 1920	2396	wknrxte.exe	vssadmin.exe
PID 2396 wrote to memory of 2916	2396	wknrxte.exe	wknrxte.exe
PID 2396 wrote to memory of 2916	2396	wknrxte.exe	wknrxte.exe
PID 2396 wrote to memory of 2916	2396	wknrxte.exe	wknrxte.exe
PID 2396 wrote to memory of 2916	2396	wknrxte.exe	wknrxte.exe
PID 608 wrote to memory of 1908	608	svchost.exe	DllHost.exe
PID 608 wrote to memory of 1908	608	svchost.exe	DllHost.exe
PID 608 wrote to memory of 1908	608	svchost.exe	DllHost.exe
PID 608 wrote to memory of 2176	608	svchost.exe	wmiprvse.exe
PID 608 wrote to memory of 2176	608	svchost.exe	wmiprvse.exe
PID 608 wrote to memory of 2176	608	svchost.exe	wmiprvse.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of UnmapMainImage
PID:1264

C:\Users\Admin\AppData\Local\Temp\VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:2656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:1908

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:2176

C:\Windows\system32\taskeng.exe
taskeng.exe {31C47B99-B7B8-4DD7-BF5E-82EF2BA5F744} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\wknrxte.exe
C:\Users\Admin\AppData\Local\Temp\wknrxte.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
3⤵
- Interacts with shadow copies
PID:1920

C:\Users\Admin\AppData\Local\Temp\wknrxte.exe
"C:\Users\Admin\AppData\Local\Temp\wknrxte.exe" -u
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\xwwktjk
Filesize
654B

MD5
ac10d980eba23bd733c6c2f319cdf3b3

SHA1
95373b54671cab5ced53a1db31555942a3e84c74

SHA256
996cc89d50d956c68da8ae7d5b4bd119eecad656ddc9efaaf2062b6bcd431458

SHA512
24db1d767989586f8a0ff38c1c0ba89453d292b2e5386faa60c102a0ce6e5640020e5ab6ed42176703c8057ef504a75bbaf9fa883983de689bce68a525cab095

Download Submit
C:\ProgramData\Adobe\xwwktjk
Filesize
654B

MD5
6a243a410c641138de1f28dacd9358d0

SHA1
6020082c3f1ab5e92a061c0d21b98ebb61df2164

SHA256
ec44616f28d31a013812e064d864d71a9549bd1af909c393ed1d8d36ea640ad3

SHA512
3d6a0cf526097799849d1f50f024247fb74d1ff6407e0d468bf0086da167df7825f4193c9909082fb26d78beeb69ead6418c5359ceef12b7520c0e4938e1ef27

Download Submit
C:\ProgramData\ulbiyui.html
Filesize
62KB

MD5
200fa3637f5ed5b1800600ce7f3f8f52

SHA1
93837e660ddc74219ba2970b21958b47eb8c7fab

SHA256
2726a8bff8d91588635f71866b546346705c763537bcdb9ed01b08800e4eaad3

SHA512
cd1a514af7f726d03990f07c5fc39a2ad0ada62ea49e19f2377c6b04d75ee5a8a194510f6999d793c17b1f3754196762d681f2e93911bfb14574227a7bac7eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\wknrxte.exe
Filesize
640KB

MD5
cb3eb9190a67d4a29bf88b0c14b01acf

SHA1
58ec918a7be2a7c9c027b1710cbebe07f9651881

SHA256
a3d46e45eafba5dc674176f9e115162759393d06ddb60a32de14cb6bb650f6ca

SHA512
d9acdcd2dced3519462d7b429bb0039be6644a01a099a3720bf8eba3e0763c18b4c7d153580c7367c463f666531c1414315cae2f4d950e96cda7e9f7e772360e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wknrxte.exe
Filesize
662KB

MD5
a5d0e995d43232bd4b3d73f8899b7ef0

SHA1
46e06085c542f69ca2a78bba9f4eaa0ad77b1713

SHA256
597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674

SHA512
c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb

Download Submit
memory/608-20-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/608-1217-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/608-13-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/608-9-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/608-17-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/608-14-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/608-19-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/608-11-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/608-273-0x00000000002D0000-0x0000000000347000-memory.dmp

Filesize
476KB

Download
memory/1712-1-0x0000000000900000-0x0000000000B4B000-memory.dmp

Filesize
2.3MB

Download
memory/1712-0-0x00000000006E0000-0x00000000008FA000-memory.dmp

Filesize
2.1MB

Download
memory/2396-6-0x00000000009A0000-0x0000000000BEB000-memory.dmp

Filesize
2.3MB

Download
memory/2396-1229-0x00000000009A0000-0x0000000000BEB000-memory.dmp

Filesize
2.3MB

Download
memory/2396-1240-0x00000000009A0000-0x0000000000BEB000-memory.dmp

Filesize
2.3MB

Download
memory/2916-1242-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download
memory/2916-1243-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download
memory/2916-1244-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2916-1246-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download
memory/2916-1247-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download
memory/2916-1248-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download
memory/2916-1249-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads