Overview

overview

10

Static

static

b0577ed39f...a2.exe

windows7-x64

10

b0577ed39f...a2.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b0577ed39fe9f9047c390a259e0c18c55396fd88a82531fc2bbe8f6b0fb078a2

  • Size

    323KB

  • Sample

    221126-vv97maea8w

  • MD5

    9b9bf35eedda09aa86f25333114dd1d4

  • SHA1

    f64f3f72db97b3c9119284f7ca4d641c41805aa0

  • SHA256

    b0577ed39fe9f9047c390a259e0c18c55396fd88a82531fc2bbe8f6b0fb078a2

  • SHA512

    038c21a487128b61e419f9210adabe3ddca60c8c3d2474a8c0508076f452a2aa2a0a6aff1965c8633fe8befeafe0d140fc20f05d799854e4596367fe3c2667bb

  • SSDEEP

    6144:D5tAt50415jKxZEu4ulgR/nkKmaDRZ/P/e:DnAt5PjKDLinDne

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-stzhzxi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. NFPK5L5-C6GM3W6-ZXURFAG-BNORYZZ-U2VGNBW-YLPEBMV-DMQRTYN-QTO2MG5 PL2ZXB2-FBESVVK-YUBQIBJ-H3M4M4H-SNRQ7DU-7USB7DH-2274MII-5TQH3L7 QDXRU36-3N6QTZQ-5PASAFV-OKRD4MZ-UOUF3VK-BI2XTNY-P2SKJAZ-I6IAWI6 Follow the instructions on the server.
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-stzhzxi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. NFPK5L5-C6GM3W6-ZXURFAG-BNORYZZ-U2VGNBW-YLPEBMV-DMQRTYN-QTO2MG5 PL2ZXB2-FBESVVK-YUBQIBJ-H3M4M4H-SNRQ7DU-7USB7DH-2274MII-5TQH3L7 QDXRU36-3N6QTZQ-5PASAFV-OKRD4MZ-UOUF2GK-LR2XTNY-P2SKJAZ-I6IQV7D Follow the instructions on the server.
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion

Targets

    • Target

      b0577ed39fe9f9047c390a259e0c18c55396fd88a82531fc2bbe8f6b0fb078a2

    • Size

      323KB

    • MD5

      9b9bf35eedda09aa86f25333114dd1d4

    • SHA1

      f64f3f72db97b3c9119284f7ca4d641c41805aa0

    • SHA256

      b0577ed39fe9f9047c390a259e0c18c55396fd88a82531fc2bbe8f6b0fb078a2

    • SHA512

      038c21a487128b61e419f9210adabe3ddca60c8c3d2474a8c0508076f452a2aa2a0a6aff1965c8633fe8befeafe0d140fc20f05d799854e4596367fe3c2667bb

    • SSDEEP

      6144:D5tAt50415jKxZEu4ulgR/nkKmaDRZ/P/e:DnAt5PjKDLinDne

    Score
    10/10
    ctblockerransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks