General

  • Target

    2c72015e22b53c215403979536bce826.exe

  • Size

    454KB

  • Sample

    211212-pxynqadeck

  • MD5

    2c72015e22b53c215403979536bce826

  • SHA1

    39eb8e3c2cef23d1c7a3f5c3133f40ecc98c1cf1

  • SHA256

    36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd

  • SHA512

    0d2e590b0c32de661ab94c0f7a0eccbbc2bac637120b0148e04b05a826ca5858e6d147e0011bd5094f260e5ff0d3dafbf9bc2c4df099adc3ac5c98d50b6df4b1

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���AD 41 C1 E9 73 A5 7D 4B EB 25 4D 53 FF 74 0F C1 E7 01 08 32 6C 80 91 D2 45 65 09 84 29 4A 4B 63 06 A4 9F 89 26 EA F0 75 43 E4 8A 69 7F 8C 9E 56 66 EA 4C 31 26 00 08 86 6D 32 9C 89 35 C9 04 08 28 46 65 C0 30 63 A7 88 B9 C9 9E 1E 86 89 57 E8 0A CF 80 55 40 1E F5 FD 93 23 B6 7D A4 FE B9 1C 84 73 A7 85 80 E9 21 E9 C0 01 E7 9C F6 E2 AA E3 A8 EF 7A 18 A2 14 EC B1 AE CF 7A CC 81 C4 04 6A CB 1D 66 54 41 FC AE 3F 4A 89 49 5D 4E 15 0F 17 DB 5A E6 6B 80 F6 2E 47 E7 9B 31 A7 99 11 48 60 B2 45 6C A8 3E DB BA 82 B5 23 66 4F F7 FB 9F 46 F2 9D 46 91 67 5D 76 5E 05 01 D0 90 5C 3C 33 69 7E 84 B1 95 E2 D3 63 76 C0 FA C6 A6 48 EC AB DB CD BC 0A 99 B7 8A 16 D1 CB 6C D6 BF CC C9 37 43 91 A0 8D 68 3E D4 DD 9D 9B CA 3A EB 41 04 53 84 EF 38 A3 4B 2C A7 6E 4D 76 0C F8 3E 1C 07 CD DD
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���4A 2C 23 EC 6B 16 FD C4 53 3D 6C F2 40 A7 4A 3E A8 34 C7 46 41 4C 94 1F 78 35 77 29 A8 8C D7 37 00 E8 49 AE 66 98 AF 14 E4 19 2F B4 C0 A0 48 AB D2 F5 9E 77 82 00 F5 AA A1 60 E0 2B 02 5A 52 57 10 5D 8B 8E 80 06 CD 80 82 79 CC 55 6E 19 80 CC 2F 80 ED 9F 5B DA 69 29 77 6F E5 E7 8E E4 67 9F 06 92 7A 2D DE 3E 3B E7 6E 5B EA D7 DB F6 9E 2F 9B 80 0D 50 56 E5 E0 CA 8A DA DF F8 07 B3 DC 22 B6 5D A9 3A 74 50 B1 E1 B6 87 76 6D 9A 6F FE 4D 3D D6 D7 DD 3B C3 0B 81 61 87 2E B9 47 9E 9B 71 91 0B 98 0E FF B4 9C 21 A4 90 04 A0 B2 5F 1A 77 B7 FA 22 6D DA 15 B4 BA A9 57 E3 B1 96 A3 CB C8 E3 A2 86 47 47 AB B7 17 90 D0 AE 44 46 D3 4F 49 41 78 D4 51 4E 4B 5B 40 FC E3 E3 C4 B3 1C F0 4F F1 19 DD 90 0C D5 63 FF DF 8D 79 51 61 16 AD 5A A1 87 C2 20 34 FF 87 30 6B BA 55 09 C4 2B E6 4F
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      2c72015e22b53c215403979536bce826.exe

    • Size

      454KB

    • MD5

      2c72015e22b53c215403979536bce826

    • SHA1

      39eb8e3c2cef23d1c7a3f5c3133f40ecc98c1cf1

    • SHA256

      36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd

    • SHA512

      0d2e590b0c32de661ab94c0f7a0eccbbc2bac637120b0148e04b05a826ca5858e6d147e0011bd5094f260e5ff0d3dafbf9bc2c4df099adc3ac5c98d50b6df4b1

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks