ctblocker | 597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674

General

Target

VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
Size

662KB
MD5

a5d0e995d43232bd4b3d73f8899b7ef0
SHA1

46e06085c542f69ca2a78bba9f4eaa0ad77b1713
SHA256

597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674
SHA512

c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb
SSDEEP

12288:vKPvdIQ/slCcdrN8VfeP/hUmQ2jqh+aCKpQKEskUjeWhjZrwPqQRc:a6OslWVfeP/s2j8+aCGHFZnOc

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\ProgramData\grrgxfk.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

nvneoqg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation nvneoqg.exe
Executes dropped EXE 2 IoCs

Processes:

nvneoqg.exenvneoqg.exe

pid process

1828 nvneoqg.exe
1192 nvneoqg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	nvneoqg.exe

pid	process
1828	nvneoqg.exe
1192	nvneoqg.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

File opened (read-only) \??\F: svchost.exe

description	ioc	process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 5 IoCs

Processes:

nvneoqg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	nvneoqg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	nvneoqg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	nvneoqg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini	nvneoqg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	nvneoqg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-klobozg.bmp"	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

nvneoqg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	nvneoqg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	nvneoqg.exe

Modifies data under HKEY_USERS 23 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-d01200000000}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-f0ff3a000000}\NukeOnDelete = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-f0ff3a000000}\MaxCapacity = "2047"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{18122b6c-0000-0000-0000-f0ff3a000000}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00310038003100320032006200360063002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d00000030002c007b00310038003100320032006200360063002d0030003000300030002d0030003000300030002d0030003000300030002d006600300066006600330061003000300030003000300030007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exenvneoqg.exe

pid	process
3160	VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
3160	VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
1828	nvneoqg.exe
1828	nvneoqg.exe
1828	nvneoqg.exe
1828	nvneoqg.exe
1828	nvneoqg.exe
1828	nvneoqg.exe
1828	nvneoqg.exe
1828	nvneoqg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

nvneoqg.exe

description pid process

Token: SeDebugPrivilege 1828 nvneoqg.exe
Token: SeDebugPrivilege 1828 nvneoqg.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

nvneoqg.exe

pid process

1192 nvneoqg.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

nvneoqg.exe

pid process

1192 nvneoqg.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

nvneoqg.exe

pid process

1192 nvneoqg.exe
1192 nvneoqg.exe

description	pid	process
Token: SeDebugPrivilege	1828	nvneoqg.exe
Token: SeDebugPrivilege	1828	nvneoqg.exe

pid	process
1192	nvneoqg.exe

pid	process
1192	nvneoqg.exe

pid	process
1192	nvneoqg.exe
1192	nvneoqg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

nvneoqg.exesvchost.exe

description	pid	process	target process
PID 1828 wrote to memory of 796	1828	nvneoqg.exe	svchost.exe
PID 796 wrote to memory of 2508	796	svchost.exe	mousocoreworker.exe
PID 796 wrote to memory of 2508	796	svchost.exe	mousocoreworker.exe
PID 796 wrote to memory of 3120	796	svchost.exe	DllHost.exe
PID 796 wrote to memory of 3120	796	svchost.exe	DllHost.exe
PID 1828 wrote to memory of 3380	1828	nvneoqg.exe	Explorer.EXE
PID 1828 wrote to memory of 1192	1828	nvneoqg.exe	nvneoqg.exe
PID 1828 wrote to memory of 1192	1828	nvneoqg.exe	nvneoqg.exe
PID 1828 wrote to memory of 1192	1828	nvneoqg.exe	nvneoqg.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
2⤵
PID:2508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:3120

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
PID:3380

C:\Users\Admin\AppData\Local\Temp\VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_a5d0e995d43232bd4b3d73f8899b7ef0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3160

C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe
C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe
"C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe" -u
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftwareDistribution\efxilme
Filesize
654B

MD5
8e9afd635533ce087be8829a27e998a7

SHA1
044425f7d0b0a6ddfa76ea9df8b3e4000caa2da1

SHA256
1b340cb6caf8630c304ee3067a12ab448f2f52525bdb81960376a8d7106ca005

SHA512
10eb00be32ecffe9a27ca1f719e43de1c691a78ffc02b5a192266d8372eaa5d84be264bdb541ecb139de2f9dc760719185f17681bd2040c1e2ce0cfa15270f72

Download Submit
C:\ProgramData\SoftwareDistribution\efxilme
Filesize
654B

MD5
86d586d5974e8d2a68324fe6fe97e942

SHA1
df56985099adfd1c1667f1e70fe4583988359b99

SHA256
1be70bc3b6d1ae721b053d63ffc2b61a2867dc54f9b59f908d73f882bd1dcff6

SHA512
d1dce1afa0ce421c95066be7d26f7bf193d760fa3c1d034c93ab73cf5c6a0742ef5b1fc487edbe05450cf8a35d94bb63f97118dd34678642033ccf666b17bfde

Download Submit
C:\ProgramData\SoftwareDistribution\efxilme
Filesize
654B

MD5
4c57a449f01392139d82531f55c75292

SHA1
5c506ed64d9e0c8bc81cc35d16097ed90252997a

SHA256
c755941b7ee43a3eb80100ebc03287dd495e96e1984acac856a5dbe3c1f9c9f4

SHA512
05d3371d46b2cbdfb05fc1dc6ca5d18e15946a398d033d1c6a9a776cb5c066463c0cbc603a49797322a78f6cbee51a1b3f68415eea2733aacb941a83476fcb82

Download Submit
C:\ProgramData\SoftwareDistribution\efxilme
Filesize
654B

MD5
b36f7b80c67981ba03e93b40bbe224b9

SHA1
e3f5b76fc3b17faf53048474d72ce1efd3183515

SHA256
bb120dfb39c8e7cff3e2c826a262058ee8bb6e854eca67261492788e39c0b12c

SHA512
5c60f21ef42f4c5838f72e193dce196afb789deea11c1fea931a2a3c2180dc1892f44fc6645bf68cb2a5a84946569d5a3b434d0042daddf8607962a993846937

Download Submit
C:\ProgramData\grrgxfk.html
Filesize
61KB

MD5
bef32ef7f3e8ecf85f068c1b69d8fe9c

SHA1
db74e9f70778e074d25385fbdb71e0c30e6f6080

SHA256
22298f2e16d143eed340e66bee3a236309e758175849bf366fdd76fe6f31e504

SHA512
9c36fbe4b6bd148afbeb0617df2e4da60f01ffca8e48631c9861750b04d99466f0707d39faddcab80bd29b36d894750e43e47e8b8fec7d25a7aed40a8341b3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvneoqg.exe
Filesize
662KB

MD5
a5d0e995d43232bd4b3d73f8899b7ef0

SHA1
46e06085c542f69ca2a78bba9f4eaa0ad77b1713

SHA256
597ae8a86df361a4d18a381b80b3be8968f3d8fc187a48cddbb27653217bf674

SHA512
c65757fc305586930c1cc5dd0a712b3a071fdd89b357328a28fea208dcdd67c9717b7de4678e525652a324d976b2588105bda82575d2cb7b7682b6730e9c4fdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.klobozg
Filesize
36KB

MD5
bb430a25f8e39b9712c2377fc0e6d806

SHA1
1abc7a8ec7a4062753fa84a1f50fe01d9980a069

SHA256
8da581fd9203086d41cfa3bfafc44defd93c234b42a7d3a4f947fb11625a793f

SHA512
1b5e8b2976633951cc10c7d74208a8c5401361e3976b9499fc8ae26fdc09dc2a520b88f3737e09cbdbdfda3de6975157cf8eacf606db8ac911faee7fe8d7e158

Download Submit
memory/796-11-0x0000000038830000-0x00000000388A7000-memory.dmp

Filesize
476KB

Download
memory/796-3393-0x0000000038830000-0x00000000388A7000-memory.dmp

Filesize
476KB

Download
memory/796-17-0x0000000038830000-0x00000000388A7000-memory.dmp

Filesize
476KB

Download
memory/796-19-0x0000000038830000-0x00000000388A7000-memory.dmp

Filesize
476KB

Download
memory/796-20-0x0000000038830000-0x00000000388A7000-memory.dmp

Filesize
476KB

Download
memory/796-550-0x0000000038830000-0x00000000388A7000-memory.dmp

Filesize
476KB

Download
memory/796-12-0x0000000038830000-0x00000000388A7000-memory.dmp

Filesize
476KB

Download
memory/796-15-0x0000000038830000-0x00000000388A7000-memory.dmp

Filesize
476KB

Download
memory/796-9-0x0000000038830000-0x00000000388A7000-memory.dmp

Filesize
476KB

Download
memory/1192-3424-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download
memory/1192-3425-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download
memory/1828-3405-0x0000000000A00000-0x0000000000C4B000-memory.dmp

Filesize
2.3MB

Download
memory/1828-6-0x0000000000A00000-0x0000000000C4B000-memory.dmp

Filesize
2.3MB

Download
memory/3160-0-0x0000000000900000-0x0000000000B1A000-memory.dmp

Filesize
2.1MB

Download
memory/3160-1-0x0000000000B20000-0x0000000000D6B000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads