Overview

overview

10

Static

static

report-ord...ls.exe

windows7-x64

10

report-ord...ls.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5fe4e659c4bd91aec2a126c8f74b01b37d6ffc6701657c93d193decfe19834d0

  • Size

    178KB

  • Sample

    221126-kyawtsaf21

  • MD5

    eef171f1c62bcec4835b8f806a772766

  • SHA1

    5e2f0fc5300f3d394e00abbc34f687215ba87bb6

  • SHA256

    5fe4e659c4bd91aec2a126c8f74b01b37d6ffc6701657c93d193decfe19834d0

  • SHA512

    89a02b361c3ec6ea25838a586b15420309629703b66236d9d62c007e8d7310369e59480b06b397b062c9021070f811be9ce59161a97e77cc324b505b81c01eb5

  • SSDEEP

    3072:cykTeZnw9fFzwDvmotqMn7DZr3R90JS7X3/uleQGSCYnh1PfwFqWPEf3Eiy:cykTpFMXtq+DZrzYSz2jGPYh1AFqWDl

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-nntdmzk.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. VKJJSDN-IL6WJJI-TL4674V-UPHGP46-A2SCG3M-PF565E2-4N23WYZ-JGQY7PS K72QVPO-A4DAJQE-JVUZUFJ-PVY63L6-YQUQCOI-IUFWAI2-6SEA662-V3FWWB4 PVYIT23-ZYRSNH3-RNGFFFH-KEJKZSR-MD5ULE7-35HCD3I-MFMW4RZ-BBTW65T Follow the instructions on the server.
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Targets

    • Target

      report-order-tracking-genereted-auto-gls.exe

    • Size

      248KB

    • MD5

      d8704f06cb0813c2cbb543b95fda51ce

    • SHA1

      987886e485ecf443002159065411e42cb0dfc264

    • SHA256

      39202dbfb206cb19ae76895199276a0e51ed7b66adf3d3c50da86926bb2f7b40

    • SHA512

      473b859bb0a9c2a5837891aba52ab546f07b5db97f15f2ed44944413f151a2fac9116fd1fb17e02b198e63b835948c75a31abbb9982bb201f0999707550d9cc8

    • SSDEEP

      3072:nhFldQnaongiDIhFxbQO48QmcjVDLAAbwwNL768P2NU+dNWz+78/H6OUdDGBLgvC:NbQFZ1ZnzFFPyc+A/etYXg0kZO0Cm

    Score
    10/10
    ctblockerransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks