Overview

overview

10

Static

static

39202dbfb2...40.exe

windows7-x64

10

39202dbfb2...40.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

  • Size

    248KB

  • Sample

    221126-kx9nrsff32

  • MD5

    d8704f06cb0813c2cbb543b95fda51ce

  • SHA1

    987886e485ecf443002159065411e42cb0dfc264

  • SHA256

    39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

  • SHA512

    473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

  • SSDEEP

    3072:nhFldQnaongiDIhFxbQO48QmcjVDLAAbwwNL768P2NU+dNWz+78/H6OUdDGBLgvC:NbQFZ1ZnzFFPyc+A/etYXg0kZO0Cm

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-xnnwmsb.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. 46D63G4-WLXEWNB-CDR34TN-I6RY6FY-RJBAI4K-SCS66NH-2VLL4O6-K5ACUA4 4UDHIIS-LPTFVC2-XDMU4GS-CDDBK2B-ZQWKXN5-LKC6SHL-UL6P25D-COMBR62 C4D37HM-FCQDWBB-WXTOKMQ-QMW65BD-43PYRB5-RAGTRMM-CBKNLRD-ESDKFDB Follow the instructions on the server.
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-zgjqcsi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. PN2BW33-UU65I7G-NRJLGDN-U5OGLRF-Q3KPRM4-FV5KUWN-XSZYFQM-NO4VGVG V3UT76C-ESX3DQE-QDLE3EZ-L5GPD4V-7AQOLQN-5J6464J-YSYGTZD-C3RRJ7D RHZ7WYI-OYBD23J-CM6S6H5-LOBCGRP-Z7EHPZM-JLKSNCR-I22SDY6-MYDQU4Z Follow the instructions on the server.
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Extracted

Path

C:\ProgramData\yrnkowk.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion

Targets

    • Target

      39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

    • Size

      248KB

    • MD5

      d8704f06cb0813c2cbb543b95fda51ce

    • SHA1

      987886e485ecf443002159065411e42cb0dfc264

    • SHA256

      39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

    • SHA512

      473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

    • SSDEEP

      3072:nhFldQnaongiDIhFxbQO48QmcjVDLAAbwwNL768P2NU+dNWz+78/H6OUdDGBLgvC:NbQFZ1ZnzFFPyc+A/etYXg0kZO0Cm

    Score
    10/10
    ctblockerransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks