Overview

overview

10

Static

static

3

542F2D5ACB...A8.exe

windows7-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    542F2D5ACBE45B037E7A20AC58CCAD039F566ED066D59D7401F2EA936A88AAA8.7z

  • Size

    783KB

  • Sample

    240620-z4835sxdrc

  • MD5

    63d21e0a6cbc5eea33221183847161f7

  • SHA1

    4191c3edc6cb4a9f7cbfe7acd276fc3af0976d3e

  • SHA256

    7ab79b9896e8bf6e039e227eb304504c4065db31941587af00f847ed10dd49f5

  • SHA512

    0560da6a8348879233e28f6b3e5e3c4aa77fa408f7bfa9328ed9d5d468fdc3f76f41670c417f91e011d6d4deaa46ee9810be40d8142e236d8ca2d93a7f95b3f6

  • SSDEEP

    12288:uaiLlSozGfzMmJfEPChurF2mbK1xoyOsarVbdzXMXSC9wqbBLr5B9v8BxzYTKR:ub6YCIBqsRsGMXdbxOxzYuR

Score
10/10
ctblockerdefense_evasionexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\qhnocie.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Targets

    • Target

      542F2D5ACBE45B037E7A20AC58CCAD039F566ED066D59D7401F2EA936A88AAA8.exe

    • Size

      924KB

    • MD5

      12bcae9fbba46e40fc81eda65b27c73b

    • SHA1

      413dce848d94d03213c7ea7ac2c57a1c9a081070

    • SHA256

      542f2d5acbe45b037e7a20ac58ccad039f566ed066d59d7401f2ea936a88aaa8

    • SHA512

      d74a634127371432094b5440e78e8950be1e1ea92ec1496912cfea1741616ccae2320a74c633f7351df00fd9603775c8a11a8e128b99068ad5e16e3a29dd12eb

    • SSDEEP

      24576:+FHH+HHHHHWHVHCUXGHnHHhHraHIeXObvpPMHH+NZZ4EA0OGYrOuGO/GS:+FHH+HHHHHWHVHCUXGHnHHhHraHIeeNK

    Score
    10/10
    ctblockerdefense_evasionexecutionimpactransomwarespywarestealer

    • CTB-Locker

      Ransomware family which uses Tor to hide its C2 communications.

      ransomwarectblocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks