General

  • Target

    1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

  • Size

    890KB

  • Sample

    221128-wmtekseb64

  • MD5

    edeb5dea8ad10ae0102a5888991036b9

  • SHA1

    8ba3ed9ab88b8fd8c77ede0f304deeec8cef843d

  • SHA256

    1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

  • SHA512

    7bc2c3ffa882abf8b45cdd4df0677aee2495c453b3fcfc486a5321ff14b62cce35566efce579f5773164cdc55d39e9e97fa57833b337d1e7def888d13838cecd

  • SSDEEP

    12288:3GjEJ5DY3YJW1QNCfFKVIm3vLZabIIsOihKlz3wp0dN2ZENtLfiIPDtOkYl9a:xn9HI8Ebdihs3K0HPN57PxOM

Score
10/10

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-hlvcmzk.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://kph3onblkthy4z37.onion.cab or http://kph3onblkthy4z37.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://kph3onblkthy4z37.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. R2HPKKL-RM3B73W-FI4AY6W-2ZEPRWW-NXAJDZY-357DNAX-HCMW7OR-GS66KWL OHIMIT4-PK2X6VR-MTVAJC6-PQHGIMV-FQQHCWL-ZV7QKEQ-X74O462-A3AXDNA TE7RYK2-U5WKYTG-CSIPTN4-J764WVY-RFGNQSH-WB52JIX-VPBVVPQ-WN4LJQK Follow the instructions on the server.
URLs

http://kph3onblkthy4z37.onion.cab

http://kph3onblkthy4z37.tor2web.org

http://kph3onblkthy4z37.onion/

Targets

    • Target

      1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

    • Size

      890KB

    • MD5

      edeb5dea8ad10ae0102a5888991036b9

    • SHA1

      8ba3ed9ab88b8fd8c77ede0f304deeec8cef843d

    • SHA256

      1d8c57cb4103be45549b6c48aa4ea55b3baac28a0033d681d7842efce4a28cf3

    • SHA512

      7bc2c3ffa882abf8b45cdd4df0677aee2495c453b3fcfc486a5321ff14b62cce35566efce579f5773164cdc55d39e9e97fa57833b337d1e7def888d13838cecd

    • SSDEEP

      12288:3GjEJ5DY3YJW1QNCfFKVIm3vLZabIIsOihKlz3wp0dN2ZENtLfiIPDtOkYl9a:xn9HI8Ebdihs3K0HPN57PxOM

    Score
    10/10
    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks