Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    168s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01/02/2022, 06:10

General

  • Target

    60b28ad78be40bbc9d08b91b21c5d4e07c6952f5be5e32eacee6d055e0279b12.exe

  • Size

    53KB

  • MD5

    a0e495354a1e55ace1c808bf7b9539a2

  • SHA1

    72bbef2b0f97567844c33ec22b1b3470057e2546

  • SHA256

    60b28ad78be40bbc9d08b91b21c5d4e07c6952f5be5e32eacee6d055e0279b12

  • SHA512

    d5beb7baaa34249c2f6b6ce87263b9008616241de05fac6626ca275488a3c0e239f9f1c74144d3199a9ade02a15bb9103ebbb3ba741ac1ad09177302b3fec308

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">Your files are encrypted!</div> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>������������12 53 B7 1A 58 53 DE 05 26 AC 33 22 BA 63 E5 33 58 74 9A 1A 80 A5 67 CE 52 B8 F8 BA 1D 27 D8 25 A9 57 7C 55 A6 ED 7A 20 F3 C9 A7 08 3C D0 76 98 C0 63 27 3E 38 18 61 55 F1 CE C9 37 DB CF 2F FB 66 69 2C 7A 8F A2 42 CA 5D 14 36 48 63 71 25 7B C4 46 AF BE A5 A8 11 18 BA 9C 02 87 EA 41 DE B9 84 14 11 A6 70 7B B2 37 8C 50 C7 DD AB 42 9F 5E B8 2E F0 F1 6B 06 59 AA 3C 36 E4 12 60 47 A9 D2 E8 25 D8 DA 8D 50 A4 13 E2 26 5B D1 A3 2F 3C 41 35 6C A1 1F 9B 15 23 22 5C 5B EE 66 70 A4 BA 2F B2 3C A2 E3 1C 13 FB F2 77 B4 7B 46 76 61 8A D1 6A 4A 67 2E E5 78 DC 02 F0 E8 F1 94 DD F1 79 0B 73 09 68 79 F7 C0 A8 FE 82 79 0E 8E 9C 7B 9A 60 6E 75 AF 4B F1 D4 98 4B 2A C6 3E 83 7B 09 81 C2 74 36 9B E3 5B D6 A8 71 FA 7C 33 9D 4A 96 E4 E3 E2 D7 2D 3F 1F CC BE E1 78 51 0D 54 3D 80 87 72 </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div class="bold"> <div align="left">Your important documents, databases, programs, saving games, documents, network folders are encrypted for your network security problems.</div> </div> <div class="bold">No data from your computer was not stolen or removed.</div> <div class="bold">To restore your files, follow the instructions.</div> <div> <h2 align="left">How to get the automatic decryptor:</h2> <div class="bold" align="left">1) Create a Wallet and buy Bitcoins </div> <div class="note xx"> <div align="left"> </div> <div align="left"> <strong>Create Bitcoin Wallet of these sites:</strong> </div> <li><strong>https://blockchain.info/wallet</strong></li> <div align="left"> <strong>Buy BTC on one of these sites:</strong> </div> <div align="left"> <ol> <li><strong>https://localbitcoins.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>https://www.bestchange.com</strong></li> </ol> </div> <div align="left"> </div> </div> </div> <div> </div> <div class="bold"><p>2) Contact us by email : <span class="mark">[email protected]</span>. and <span class="mark">[email protected]</span> In the letter include your personal ID (look at the beginning of this document)</p> </div> <div class="bold"> <p>3) After answering your inquiry, our operator will give you further instructions, which will be shown what to do next (the answer you get as soon as possible)</p> <div class="bold"> </div> <div><p>* To be sure in getting the decryption you can send 1-2 encrypted files to <span class="mark">[email protected]</span> In the letter include your personal ID (look at the beginning of this document).</p> </div> <div><p>** Write here on the mail for a faster response [email protected] <div class="note alert"> <div class="title">Attention!</div> <ul><li>Do not attempt to remove the program or run the anti-virus tools.</li> <li>Attempts to self-decrypting files will result in the loss of your data.</li> <li>Decoders are not compatible with other users of your data, because each user's unique encryption key.</li> <li>We are not liars or cheaters. You pay - we help.</li> </ul> </div> </body> </html>������
Emails

class="mark">[email protected]</span>

class="mark">[email protected]</span>

[email protected]

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Sets service image path in registry 2 TTPs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 26 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies data under HKEY_USERS 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60b28ad78be40bbc9d08b91b21c5d4e07c6952f5be5e32eacee6d055e0279b12.exe
    "C:\Users\Admin\AppData\Local\Temp\60b28ad78be40bbc9d08b91b21c5d4e07c6952f5be5e32eacee6d055e0279b12.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:1840
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 535aaa8aec15cd3756fd88d35652f9fc xorpv0a6MUWbGFSXMdI1yQ.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:2252

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads