General

  • Target

    749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

  • Size

    928KB

  • Sample

    221128-tvnsysgf32

  • MD5

    284b37c4771f4dcf91a37348014e04ff

  • SHA1

    211e5aa4cc0451aa252660576fc5c6a1961667fd

  • SHA256

    749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

  • SHA512

    dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

  • SSDEEP

    24576:+TSkT7/hjVX1uKLGLY27AX1Wh6qC/UxPpXWhi:Evl3LG0h1KZkwPhW

Score
10/10

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-hsshzxi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. YLZ6O56-AL4MSLE-UHFAEY7-G6VV6GZ-46XDH7W-FVBRSRO-EPQ2H4F-L22NOZI 4M7OHZF-BR5WCMD-EEVE66I-2RATTAF-W3EZJNA-S4PKC3R-A27UEE4-EUQRV5L 3XBV34O-UT5V5OO-QHUJZ5Q-P6ZTFGM-LY3K5RC-UBGRUSJ-3GFC2GG-VUEANF7 Follow the instructions on the server.
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-hsshzxi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. YLZ6O56-AL4MSLE-UHFAEY7-G6VV6GZ-46XDH7W-FVBRSRO-EPQ2H4F-L22NOZI 4M7OHZF-BR5WCMD-EEVE66I-2RATTAF-W3EZJNA-S4PKC3R-A27UEE4-EUQRV5L 3XBV34O-UT5V5OO-QHUJZ5Q-P6ZTFGM-LY3KPDC-OUGRUSJ-3GFC2GG-VUEQHQI Follow the instructions on the server.
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Targets

    • Target

      749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

    • Size

      928KB

    • MD5

      284b37c4771f4dcf91a37348014e04ff

    • SHA1

      211e5aa4cc0451aa252660576fc5c6a1961667fd

    • SHA256

      749b990f8fe76d019574a8084e4bc6dccaef3c4370f14d1ff3097d82b6176913

    • SHA512

      dddfd3b527d57ef5b2ac806ca7c083033d05b0df39b7b6513069c91eb43c8645ee2641e5203366a53de3abd7578f254d84ea2ebaebf33388d591d2db787fa568

    • SSDEEP

      24576:+TSkT7/hjVX1uKLGLY27AX1Wh6qC/UxPpXWhi:Evl3LG0h1KZkwPhW

    Score
    10/10
    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks