Overview

overview

10

Static

static

b35793f080...0a.exe

windows7-x64

5

b35793f080...0a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a

  • Size

    815KB

  • Sample

    221128-tvpegscc9x

  • MD5

    51ed7e8e341c08280b7a0217f7c39a3f

  • SHA1

    079ad2df4a1db02c4170b7d44aaa189f16194fa1

  • SHA256

    b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a

  • SHA512

    13c810699ca58e17a8a5e2bf36e3eeb5d404d5f740ae833fc06f3bcef3aa3cb01da6d373be07a32e29cc613c09803132b8b1a28928a2ffd35abc60b1918168be

  • SSDEEP

    24576:coZle5i/xmrxgxh6UAkNe7bBmGC5MN8XL:dg9yG4Gen

Score
10/10
ctblockerransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-brkqcsi.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. AQCDYTZ-57BI5FG-EGWPADW-GRE3OU6-2TOEQWA-ZGKOGD2-5EKGXKK-RFEIYRU K4IIXQK-HSX3FUW-J4PQ6XV-DDKUHXN-5IRI4CO-6SSP5Q5-FPW5EQI-IJMIK5I AUC4OG4-H34FEV6-67IKE5U-PR5QOFL-ZTVZMIX-CIQE3IA-PZUNUUS-2L7TZQS Follow the instructions on the server.
URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Extracted

Path

C:\ProgramData\yrnkowk.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://onja764ig6vah2jo.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion

Targets

    • Target

      b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a

    • Size

      815KB

    • MD5

      51ed7e8e341c08280b7a0217f7c39a3f

    • SHA1

      079ad2df4a1db02c4170b7d44aaa189f16194fa1

    • SHA256

      b35793f0801b0e787507e04f25f49627b9b2068125df2614e2c98dc35dcb8f0a

    • SHA512

      13c810699ca58e17a8a5e2bf36e3eeb5d404d5f740ae833fc06f3bcef3aa3cb01da6d373be07a32e29cc613c09803132b8b1a28928a2ffd35abc60b1918168be

    • SSDEEP

      24576:coZle5i/xmrxgxh6UAkNe7bBmGC5MN8XL:dg9yG4Gen

    Score
    10/10
    ctblockerransomware

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks