Overview

overview

10

Static

static

88ae30e10e...le.exe

windows7_x64

10

88ae30e10e...le.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample

  • Size

    654KB

  • Sample

    210726-yhv7efd9dn

  • MD5

    2452df8493c85994e7fe0f42e664999e

  • SHA1

    0ed37c982134aa703837f38bea0549e70c29bccb

  • SHA256

    88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e

  • SHA512

    132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-tixksrn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. WZIEFFP-UZSWJ46-MXEJKAE-V7KDE6A-QEYRAVG-ZEYDM57-LBJCJQY-6M4CLIU CPG6TD6-JDMQ4VD-A72HULJ-H6HAEXE-KVDKOGE-OB63HCX-T4G5CYZ-GM6VPOC 7KSAZSZ-JWVSBC3-GQ2DN4R-PVKUL2Y-LA7OKWF-WZEXW6A-4CIB4BY-QUAZBMY Follow the instructions on the server.
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-tixksrn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. WZIEFFP-UZSWJ46-MXEJKAE-V7KDE6A-QEYRAVG-ZEYDM57-LBJCJQY-6M4CLIU CPG6TD6-JDMQ4VD-A72HULJ-H6HAEXE-KVDKOGE-OB63HCX-T4G5CYZ-GM6VPOC 7KSAZSZ-JWVSBC3-GQ2DN4R-PVKUL2Y-LA7OREF-YCEXW6A-4CIB4BY-QUAZ6QV Follow the instructions on the server.
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\sctpnha.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-dmzevle.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. EZ64OF6-HZYLEVK-WU34SHU-EZ2OC7O-4XX3ZOV-4QD2LBI-RJIZD7I-QZMPNHV IMZKW52-X5V3EUX-DZ743GH-FU3E4T6-QSUA4PF-3SRRI5D-3ZMS473-ULTYBD4 LNFEJ2K-CL6AUFR-LPB5YHJ-JR7IA3G-E4BIV44-CY7W3Y3-GDTHBUQ-R7YTKVN Follow the instructions on the server.
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Targets

    • Target

      88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample

    • Size

      654KB

    • MD5

      2452df8493c85994e7fe0f42e664999e

    • SHA1

      0ed37c982134aa703837f38bea0549e70c29bccb

    • SHA256

      88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e

    • SHA512

      132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb

    Score
    10/10
    ctblockerransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks