General

  • Target

    cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

  • Size

    802KB

  • Sample

    221128-twp3eagg26

  • MD5

    102c9d8d99c9f453053d1f49620df11f

  • SHA1

    47ab2f2f660832e3a38f6dee882431a5a2404729

  • SHA256

    cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

  • SHA512

    adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e

  • SSDEEP

    12288:FgORozerFqm6tU2L6kwt0Z9YlU+iyKAqYpBuT+ZlI4O3dRvUC8yr3e9JKjv6JfPf:FZRFxVYJL7jYlU3vAqYphHcLmwCdSRkj

Score
10/10

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-gkbiicl.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. OEPEG4O-4HZIGZQ-QJS3R7W-PMHGQY7-YEHARX4-V6O6JSB-KSVIPTP-PEMNULO KKK2XVA-NVDVBAO-KLNVVY6-PQEC4ZN-N5CEVSM-SJWAIFI-Y4VT3AG-A53T7JQ JK237ZR-LSIYTYK-47ZSLIH-27JUMKK-2MIXMKL-JAN7FNP-QCYZAX7-DUWY4VL Follow the instructions on the server.
URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-gkbiicl.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. OEPEG4O-4HZIGZQ-QJS3R7W-PMHGQY7-YEHARX4-V6O6JSB-KSVIPTP-PEMNULO KKK2XVA-NVDVBAO-KLNVVY6-PQEC4ZN-N5CEVSM-SJWAIFI-Y4VT3AG-A53T7JQ JK237ZR-LSIYTYK-47ZSLIH-27JUMKK-2MIX64L-FXN7FNP-QCYZAX7-DUWYOVY Follow the instructions on the server.
URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Targets

    • Target

      cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

    • Size

      802KB

    • MD5

      102c9d8d99c9f453053d1f49620df11f

    • SHA1

      47ab2f2f660832e3a38f6dee882431a5a2404729

    • SHA256

      cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

    • SHA512

      adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e

    • SSDEEP

      12288:FgORozerFqm6tU2L6kwt0Z9YlU+iyKAqYpBuT+ZlI4O3dRvUC8yr3e9JKjv6JfPf:FZRFxVYJL7jYlU3vAqYphHcLmwCdSRkj

    Score
    10/10
    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks