ctblocker | 743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

General

Target

b2e27e88dd895d90f19c8d0314662720_NeikiAnalytics.exe
Size

653KB
MD5

b2e27e88dd895d90f19c8d0314662720
SHA1

cc69874f94ae42a274e4b3171e850ad2d3c02465
SHA256

743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87
SHA512

85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2
SSDEEP

12288:Tf4N3H1XrMFzr0bgo+adMSoy2tVxhwCmQpEZ/0hQOk8+4XKlThiHSrEZ:w1XoFcuadOyy/TC/gYDKYliH

Score

10^/10

ctblocker defense_evasion execution impact ransomware

Malware Config

Extracted

Path

C:\ProgramData\hmqeonk.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\International\Geo\Nation	uyhdxne.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	uyhdxne.exe
2800	uyhdxne.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	uyhdxne.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-pmbytmg.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pmbytmg.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pmbytmg.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1588	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	uyhdxne.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	uyhdxne.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	uyhdxne.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a5ad3764-2897-11ef-9ebe-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{cf7fb801-2860-11ef-824f-5e4db530a215}\NukeOnDelete = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{cf7fb801-2860-11ef-824f-5e4db530a215}\MaxCapacity = "2047"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a5ad3764-2897-11ef-9ebe-806e6f6e6963}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a5ad3764-2897-11ef-9ebe-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{cf7fb801-2860-11ef-824f-5e4db530a215}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00610035006100640033003700360034002d0032003800390037002d0031003100650066002d0039006500620065002d003800300036006500360066003600650036003900360033007d00000030002c007b00630066003700660062003800300031002d0032003800360030002d0031003100650066002d0038003200340066002d003500650034006400620035003300300061003200310035007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2388	b2e27e88dd895d90f19c8d0314662720_NeikiAnalytics.exe
2724	uyhdxne.exe
2724	uyhdxne.exe
2724	uyhdxne.exe
2724	uyhdxne.exe
2800	uyhdxne.exe
2800	uyhdxne.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	uyhdxne.exe
Token: SeDebugPrivilege	2724	uyhdxne.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2800	uyhdxne.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2800	uyhdxne.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2800	uyhdxne.exe
2800	uyhdxne.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1364	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2724	2404	taskeng.exe	29
PID 2404 wrote to memory of 2724	2404	taskeng.exe	29
PID 2404 wrote to memory of 2724	2404	taskeng.exe	29
PID 2404 wrote to memory of 2724	2404	taskeng.exe	29
PID 2724 wrote to memory of 604	2724	uyhdxne.exe	9
PID 604 wrote to memory of 1356	604	svchost.exe	30
PID 604 wrote to memory of 1356	604	svchost.exe	30
PID 604 wrote to memory of 1356	604	svchost.exe	30
PID 2724 wrote to memory of 1364	2724	uyhdxne.exe	21
PID 2724 wrote to memory of 1588	2724	uyhdxne.exe	31
PID 2724 wrote to memory of 1588	2724	uyhdxne.exe	31
PID 2724 wrote to memory of 1588	2724	uyhdxne.exe	31
PID 2724 wrote to memory of 1588	2724	uyhdxne.exe	31
PID 2724 wrote to memory of 2800	2724	uyhdxne.exe	33
PID 2724 wrote to memory of 2800	2724	uyhdxne.exe	33
PID 2724 wrote to memory of 2800	2724	uyhdxne.exe	33
PID 2724 wrote to memory of 2800	2724	uyhdxne.exe	33
PID 604 wrote to memory of 1960	604	svchost.exe	34
PID 604 wrote to memory of 1960	604	svchost.exe	34
PID 604 wrote to memory of 1960	604	svchost.exe	34
PID 604 wrote to memory of 896	604	svchost.exe	36
PID 604 wrote to memory of 896	604	svchost.exe	36
PID 604 wrote to memory of 896	604	svchost.exe	36

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:604
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:1356
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1960
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  2⤵
  PID:896

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of UnmapMainImage
PID:1364
- C:\Users\Admin\AppData\Local\Temp\b2e27e88dd895d90f19c8d0314662720_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\b2e27e88dd895d90f19c8d0314662720_NeikiAnalytics.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388

C:\Windows\system32\taskeng.exe
taskeng.exe {341BD03C-4C17-43BE-91CD-C0560FA36419} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\uyhdxne.exe
  C:\Users\Admin\AppData\Local\Temp\uyhdxne.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - Interacts with shadow copies
    PID:1588
- - C:\Users\Admin\AppData\Local\Temp\uyhdxne.exe
    "C:\Users\Admin\AppData\Local\Temp\uyhdxne.exe" -u
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

1

T1006

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\fxnofpl

Filesize
654B

MD5
ef801c20775c220b64d51a8201c7bce6

SHA1
b34bdcbdab6bd0265a33ff66acd4f5ffad5652a3

SHA256
02a6df9ae897a1a1b97501ddf31a7599b31f81bb1d83dd18fe591ad70a588b13

SHA512
678fb3865d8509381127bdd0c2a9b57caf837021b946148536581fe79dfa30ace905288045a6aa7ebb84dbb312bdd47588675ead117ce1d4b6c0a3de1f4c11ad

Download Submit
C:\ProgramData\Package Cache\fxnofpl

Filesize
654B

MD5
b2dfc56aa56daaf6aa2194dc077043f5

SHA1
a13b9bd6a8b4275dc80c7b77fc3779022a577129

SHA256
8df01f1ac7eaab73b2c5f79a588f093229b5ade59686a872b58d8f9580f64eaa

SHA512
ed3a355327181f7f95bd0c854dc0333d43e78b7cf2149d0d65824d168b9052fb3622034e92d0528aa729070c5c773fed2d88e1567179434de60d895e21bfb257

Download Submit
C:\ProgramData\Package Cache\fxnofpl

Filesize
654B

MD5
24c45261d9c2df69c898cb96c43615a8

SHA1
464ba8ce3e922a91f8a302c1a0608b8ea9c98724

SHA256
ce3dd1a00e75770aefe7eb2f100dc3d0d6855469d847144c6cab2ad55310b901

SHA512
e3a00327dab14a0205729863de21b0852aaaf2be7d832cfd0173b278137fd875a0e46aee3fa6598bb1b25b5919d2eba7f76d544f4369201e5ac257676d12c890

Download Submit
C:\ProgramData\hmqeonk.html

Filesize
63KB

MD5
08d239565bfdac08857d90c665ea63b7

SHA1
fddbb04c3a78521e2545bb2585a7c594e27c6f42

SHA256
f300bc47d11446cbd11081fefdf9b21d5a429367dc88149e41185316d0ea1c5a

SHA512
d6445935f904b42692c496ca4b3ef1ce81a0d11a3cc7211b5b7738fef2b4e4206f1ef369865d7ff431ba3ace6962f342304072a128a13ad22215dc4eb42a44e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyhdxne.exe

Filesize
653KB

MD5
b2e27e88dd895d90f19c8d0314662720

SHA1
cc69874f94ae42a274e4b3171e850ad2d3c02465

SHA256
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

SHA512
85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2

Download Submit
memory/604-23-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/604-1232-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/604-13-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/604-18-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/604-16-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/604-20-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/604-10-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/604-9-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/604-40-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/604-12-0x00000000001A0000-0x0000000000217000-memory.dmp

Filesize
476KB

Download
memory/2388-0-0x00000000009C0000-0x0000000000BDA000-memory.dmp

Filesize
2.1MB

Download
memory/2388-1-0x0000000000BE0000-0x0000000000E2B000-memory.dmp

Filesize
2.3MB

Download
memory/2724-1244-0x00000000009B0000-0x0000000000BFB000-memory.dmp

Filesize
2.3MB

Download
memory/2724-6-0x00000000009B0000-0x0000000000BFB000-memory.dmp

Filesize
2.3MB

Download
memory/2724-1254-0x00000000009B0000-0x0000000000BFB000-memory.dmp

Filesize
2.3MB

Download
memory/2800-1258-0x00000000009B0000-0x0000000000BFB000-memory.dmp

Filesize
2.3MB

Download
memory/2800-1260-0x00000000009B0000-0x0000000000BFB000-memory.dmp

Filesize
2.3MB

Download
memory/2800-1261-0x00000000009B0000-0x0000000000BFB000-memory.dmp

Filesize
2.3MB

Download
memory/2800-1263-0x00000000009B0000-0x0000000000BFB000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads