Overview

overview

10

Static

static

fb636a09db...bc.exe

windows7_x64

10

fb636a09db...bc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    11/02/2022, 06:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    fb636a09db563786131245c126902069a9d83f697908a4b78f52ccaf721ccbbc.exe

  • Size

    53KB

  • MD5

    2fad8cc7c9cb5fedc34797dfa0fcc495

  • SHA1

    6307bd1178e16d0392f590477f783e93a52a4e6d

  • SHA256

    fb636a09db563786131245c126902069a9d83f697908a4b78f52ccaf721ccbbc

  • SHA512

    7aa6edfa8787d98dea92fa1349e4eeeef4eb4fd288533c6a4b006e0be2dd8050c0d9d3107bab18ff27be5901d053142183cf05bfae1f024ed7867c9896f5f704

Score
10/10
globeimposterpersistenceransomware

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������6F 06 C4 52 C2 FC 76 6F 31 75 DA FD A1 07 7E 23 A5 32 DD 97 68 8A 43 DC 14 0C 4D 3F 23 47 63 C2 8C 2B 6E 6E 14 45 F2 7A 00 DA 04 11 EF 43 1A 7C C4 FF C8 F1 A0 B1 A6 65 CA 15 EF 27 0F C9 EE 0C 42 58 63 F1 03 61 E1 46 24 29 76 B3 FE B2 DF 25 EF 56 11 5A 1D 35 1B 5B BD 3E FC 22 4E 5C EF A1 6A 6A A1 67 44 A0 E1 10 AD 5E AD C8 10 95 E0 5A A4 E4 22 2B 78 D4 A1 28 73 FD 74 26 E7 6A 5A F6 8F 5E 58 4A E0 EC EF 6A 09 6E 54 E7 9E FD 09 3A 7F DC 76 B1 AA 9E 01 6A BB 2C 84 9E 17 17 92 A2 25 12 92 DE 61 AC AD 78 F6 8E 78 46 37 28 B2 F4 48 55 65 B1 14 8A F5 7D C6 E4 4B BB BF 3C 34 8A 7A AA FE 14 C8 D1 86 5A D5 CC 40 7B C7 F0 C7 65 71 E6 6F 2C A7 41 FD 13 CE 08 05 57 7E 10 FD AD 28 9F D2 CE C8 69 E3 8A F7 9B FB 6E 06 23 16 A4 86 EE 59 65 CE 61 B8 EC 80 A7 D5 CC 96 8E 6A 80 </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your files are encrypted! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 test image or text file <span> [email protected]</span>.</br> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <center>Attention!</center></br> <ul> <li>Only [email protected] can decrypt your files</li> <li>Do not trust anyone [email protected]</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ��������������
Emails

[email protected]</span>.</br>

[email protected]

[email protected]</li>

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 24 IoCs
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 19 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb636a09db563786131245c126902069a9d83f697908a4b78f52ccaf721ccbbc.exe
    "C:\Users\Admin\AppData\Local\Temp\fb636a09db563786131245c126902069a9d83f697908a4b78f52ccaf721ccbbc.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:3940
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:2140
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2768 -s 4476
      2⤵
      • Program crash
      PID:1820
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2768 -s 4476
      2⤵
      • Program crash
      PID:1816
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 428 -p 2768 -ip 2768
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:2200
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Modifies data under HKEY_USERS
    PID:1860

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads