Overview

overview

10

Static

static

748b8dc9dd...e7.exe

windows7-x64

10

748b8dc9dd...e7.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

  • Size

    654KB

  • Sample

    221128-tvmwnagf28

  • MD5

    9cd4cebf8b04cd6864b59e4c0cf4aafa

  • SHA1

    2287faa3026c5981f3796268112998ac1c06c5d3

  • SHA256

    748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

  • SHA512

    03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d

  • SSDEEP

    12288:MkzXMinmtrfsNG9USY7x3lgSsIXlYlOHls2E/qZaTcMUJnGHqsvXX1tfLs:LjArfCG+nN3aNIXNFZ5R1GHqsvDI

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-otdblmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. O4ISHRJ-ABJLJGF-J4XJWRM-ZQ2QKSI-RGVONHD-JZTBNSL-6S3QSCY-H6IYIYO ODI6J2U-M4X4HRR-KHN52EW-XDZDWPZ-CKQQ7PF-4TIL2SS-V6H74RI-QSMOJRD QDN3P76-5C3XDAU-URNFY5T-JMN4OG3-MJEUJXA-MU2DUP4-2YOJIGK-ARHSATB Follow the instructions on the server.
URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-otdblmn.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. O4ISHRJ-ABJLJGF-J4XJWRM-ZQ2QKSI-RGVONHD-JZTBNSL-6S3QSCY-H6IYIYO ODI6J2U-M4X4HRR-KHN52EW-XDZDWPZ-CKQQ7PF-4TIL2SS-V6H74RI-QSMOJRD QDN3P76-5C3XDAU-URNFY5T-JMN4OG3-MJEURFA-SB2DUP4-2YOJIGK-ARHSDOA Follow the instructions on the server.
URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Targets

    • Target

      748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

    • Size

      654KB

    • MD5

      9cd4cebf8b04cd6864b59e4c0cf4aafa

    • SHA1

      2287faa3026c5981f3796268112998ac1c06c5d3

    • SHA256

      748b8dc9ddd13cfdf844a6ba40a59dc5a464d0240133394adffc5496cd1021e7

    • SHA512

      03ec7b69a8f616ab4254429499d80e5b5e7e28c1b44b418b446f6a341bdc77393482cd790764981498c6d54d2ffd0d32c118c45dee056d681533167f7b83359d

    • SSDEEP

      12288:MkzXMinmtrfsNG9USY7x3lgSsIXlYlOHls2E/qZaTcMUJnGHqsvXX1tfLs:LjArfCG+nN3aNIXNFZ5R1GHqsvDI

    Score
    10/10
    ctblockerransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks