Overview

overview

10

Static

static

a2931fbe8a...92.exe

windows7-x64

10

a2931fbe8a...92.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

  • Size

    1012KB

  • Sample

    221125-x8drpaac34

  • MD5

    d9687bcc9a27bcd0f13b9582edb06f67

  • SHA1

    a74a952457d1bc2edb9d459852fe823615870f60

  • SHA256

    a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

  • SHA512

    c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769

  • SSDEEP

    12288:b5r+zclYhHS4xovm4+l+9qzezjhGfqlmTlKb37NTXivuzV+2ZrPhnqyPqFjFMuMX:b1+E0SmUafqGlKj7NbivuM2ZrJCjN8

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ojkdmzk.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 4JMOTVD-UWYB7TR-FVIQFZB-IA67GPU-L57SAR6-TPRPRFV-REFDO2S-4AYS7LK ZJXJCOH-UDJDMBU-H5ZALGU-JCMQ3UO-HISXZJV-IZE7VWE-7SJ7YRP-GNJDBIF VH4VATS-UENATDV-73WKAK3-PVHFCKV-E74UPLI-MB4NOIZ-2QCXNY3-YQ33D5E Follow the instructions on the server.
URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Targets

    • Target

      a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

    • Size

      1012KB

    • MD5

      d9687bcc9a27bcd0f13b9582edb06f67

    • SHA1

      a74a952457d1bc2edb9d459852fe823615870f60

    • SHA256

      a2931fbe8affc89239b30fef37cb3b567e7483c5d4494e0e459efae733ecee92

    • SHA512

      c11ac848ed72aeaae76f345f0bbc2b6934c0cec0729279f59b5a6a14f5d3b2d1ff4d2322eae3a217231841aeb436e0817d50fe59aa8105791b4bbc13a1906769

    • SSDEEP

      12288:b5r+zclYhHS4xovm4+l+9qzezjhGfqlmTlKb37NTXivuzV+2ZrPhnqyPqFjFMuMX:b1+E0SmUafqGlKj7NbivuM2ZrJCjN8

    Score
    10/10
    ctblockerransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks