General
-
Target
6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495
-
Size
743KB
-
Sample
221003-1vtgrshcem
-
MD5
69eb41d973e7c96fe47c381320dfd140
-
SHA1
e45c2f5e2f74c35beb1a019b708573155f5a17a1
-
SHA256
6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495
-
SHA512
5b4a8bf698640d7a25b9b6bdf1b9d73e9c99593c307c2f416b07bc1e9ea70091327cd6afcd5f5717a7f0160c1a46832d79ff4b1e4d1a45113f3f6d986fa88b52
-
SSDEEP
12288:zogZILd4+csZJQNtUbu+jlkB9XwN6qZvbU5+fXKQbX48KfVko93LYtZtq:zog84MJyUqXwjZvc+fa0Kfzos
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-chldicl.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-chldicl.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-grqyird.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Targets
-
-
Target
6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495
-
Size
743KB
-
MD5
69eb41d973e7c96fe47c381320dfd140
-
SHA1
e45c2f5e2f74c35beb1a019b708573155f5a17a1
-
SHA256
6ce78b597a3e693e58b3fee9ee9b549991d071d6e7928f817d69e299048d9495
-
SHA512
5b4a8bf698640d7a25b9b6bdf1b9d73e9c99593c307c2f416b07bc1e9ea70091327cd6afcd5f5717a7f0160c1a46832d79ff4b1e4d1a45113f3f6d986fa88b52
-
SSDEEP
12288:zogZILd4+csZJQNtUbu+jlkB9XwN6qZvbU5+fXKQbX48KfVko93LYtZtq:zog84MJyUqXwjZvc+fa0Kfzos
Score10/10-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-