General

  • Target

    e3f6878bcafe2463f6028956f44a6e74

  • Size

    1.2MB

  • Sample

    211215-j15csahaa7

  • MD5

    e3f6878bcafe2463f6028956f44a6e74

  • SHA1

    99373d51d3975bbdea8664cdd8ab48240cfe3e44

  • SHA256

    37ff5b1492fe4e1083bdc87df3524d4ac7b5b604e71dfca3730a6527d3bb7d2a

  • SHA512

    2dca531b8f9dd52d1fa29c910bde579d397bae65355544d9c7eeeb88f533fcc0713fa298fc52a2e44c839a332f38f5a712bf8453bd46b84fd17ed648816431b7

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���A1 23 1A A0 DA 6A 4E 3C BB 53 2A B6 30 DA A5 AE 05 D9 DE 56 93 2A 7E 28 3C 32 1B CF EF 9D DA 4F F0 79 7E 87 8C 85 C4 2B DA 11 AE 4A 69 AC B7 3F 2E 98 2D 76 08 95 42 2E 6F 42 9B CD 38 47 2E 25 83 EF 89 7D 60 06 35 E6 93 5F 32 A6 2D 32 15 84 CF 98 31 B4 B6 73 1F CF E4 ED 37 70 7D 41 B0 3B 14 8C C4 13 E7 F6 E2 C8 8B 9B D3 AB 9E 66 A5 F0 A3 EB 9D C2 C6 E0 A9 69 4E E1 72 06 08 95 52 E8 DB 1D 85 EB 33 74 F7 F3 9A EE AF 98 90 B4 62 E0 FF DE 6D 77 17 3B 16 4B 1C 6F 0A B5 62 4D C9 61 FF 0D A0 19 E3 DB 38 AE 04 0D 3B 8B 31 4B B4 96 15 F5 CE B1 E3 E8 13 D6 B1 45 8A 8D 23 06 5C 3D D3 E9 12 AB 88 6C CD 4C F2 A2 25 E3 97 78 A3 39 EB 34 9F D2 6A C6 FB DD DB CA FF 23 4C E9 C4 09 6C 42 47 F2 94 09 9E EF 8F 7C 4B AA 35 3C E5 2D AA 27 0A 3B CB 99 4F 9C 4F CB AF CC CB 5A 23 4A
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���52 71 C4 B4 5D 5B 9E 43 00 A6 3B 20 C7 4D 56 E4 B7 33 9B 87 EA 0D 7E A8 43 45 F3 B8 18 FF 31 BB B8 CC FC A8 F8 CD 9F 2A 9A 6F F1 15 55 87 27 6C D0 EE AD BC B0 05 C0 B2 40 00 58 4E 6A 73 DA 02 B1 3C 53 5D B7 24 BA F3 C9 EF 8C B0 11 3A 3C 84 5F C7 6E A4 B0 48 01 69 18 35 CD A8 44 74 29 65 F8 CA 72 18 6A D5 79 B4 9F 3A C8 3E 16 91 1E 64 45 AB 7C 20 3D E3 97 0B 21 04 4E 31 8A CE A2 25 FB B5 6F 91 AC 72 28 A7 87 EE CF A8 DE C4 2C 6C 34 32 1B A4 0F E5 8E CB B7 FA 5C 77 F0 D8 D7 19 0A 40 EB EB 8B A4 ED C0 F2 81 E9 09 09 F0 A4 72 AE DC BB 09 76 0A 95 EE 20 DB 27 79 F8 D5 AD A0 8A 9F 98 43 7F DF 8D 9B 14 D7 65 E6 98 74 E9 09 13 2E 04 AD AF 1B C5 9E E3 48 9E 23 1C 2E 5E B4 8C 9B 07 12 60 13 71 CA 0C 25 CF 19 E2 0E CD 37 4E 22 12 E3 13 A4 E8 19 D5 E4 A7 D9 67 FE A0 E7
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      e3f6878bcafe2463f6028956f44a6e74

    • Size

      1.2MB

    • MD5

      e3f6878bcafe2463f6028956f44a6e74

    • SHA1

      99373d51d3975bbdea8664cdd8ab48240cfe3e44

    • SHA256

      37ff5b1492fe4e1083bdc87df3524d4ac7b5b604e71dfca3730a6527d3bb7d2a

    • SHA512

      2dca531b8f9dd52d1fa29c910bde579d397bae65355544d9c7eeeb88f533fcc0713fa298fc52a2e44c839a332f38f5a712bf8453bd46b84fd17ed648816431b7

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks