Analysis
-
max time kernel
161s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 06:27
General
-
Target
e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe
-
Size
53KB
-
MD5
d4bf96eb8a93925506d8f4dac73ecf62
-
SHA1
a28000fefa83464b599905e3553a6e6a25034519
-
SHA256
e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40
-
SHA512
26149702e6450579187f1fb31cc340b3d82cb78ed0dc8ed278778f64662a3bcd0f98c5edcae99d869461d57340e84196907c5fddc04d9c4e571cd4dba7004dc3
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
<style type="text/css">
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background-color: #C1AB8F;
}
.bold {
font-weight: bold;
}
.xx {
border: 1px dashed #000;
background: #E3D5F1;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
font-size: 30px;
height: 50px;
line-height: 50px;
font-weight: bold;
border-bottom: 10px solid #D0D0E8;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
</style>
</head>
<body>
<div class="header">Your files are encrypted!</div>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>������������99 7D 51 2B 63 EE 7A 7B 87 53 80 1F 18 AE BE A7
8A D8 D7 21 CF 61 A1 90 C0 45 69 83 15 75 38 B6
B1 CB E7 1C 25 EE 0C B7 C8 A2 27 A8 AF EE 59 9C
D7 1B CE 2F DD D0 FD E7 66 CE 80 F1 80 18 3A DB
BE 8A 51 B2 A4 B8 49 25 F7 11 72 28 ED A7 2B 88
74 1C 9C 77 04 42 9A 4B 3E D3 9D 19 A5 0F 72 12
B3 9F 16 71 32 68 E5 40 B6 EE DF 44 D0 90 A0 E7
59 10 C3 7C FF C4 9A 9D 49 CC E9 95 A5 9B 90 5E
4B E5 78 0C 11 D9 34 F0 2F BF D7 46 CD D8 51 42
F4 67 12 DA DA 28 EE 95 E8 26 05 7E A2 9D 11 7A
5F C6 29 0B E8 FF 49 C5 1E 97 29 5D 96 9D 7F 9C
E4 F6 71 A5 BA 5B 82 92 CC BF 31 65 09 5D 41 32
44 90 E6 3C 07 E3 7C 03 87 53 4F AF 25 99 22 79
6F 52 7D B2 67 71 BB C8 4A 01 24 9D 0F 02 60 B7
29 B4 B3 4A 54 FD 63 03 D0 5B A9 87 D9 13 F1 61
D2 2D FC 2E 3C 2A 3E 1E 08 6A C7 D0 5C 74 10 45
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div class="bold">
<div align="left">Your important documents, databases, programs, saving games, documents,
network folders are encrypted for your network security problems.</div>
</div>
<div class="bold">No data from your computer was not stolen or removed.</div>
<div class="bold">To restore your files, follow the instructions.</div>
<div>
<h2 align="left">How to get the automatic decryptor:</h2>
<div class="bold" align="left">1) Create a Wallet and buy Bitcoins </div>
<div class="note xx">
<div align="left">
</div>
<div align="left"> <strong>Create Bitcoin Wallet of these sites:</strong> </div>
<li><strong>https://blockchain.info/wallet</strong></li>
<div align="left"> <strong>Buy BTC on one of these sites:</strong> </div>
<div align="left">
<ol>
<li><strong>https://localbitcoins.com</strong></li>
<li><strong>https://www.coinbase.com</strong></li>
<li><strong>https://www.bestchange.com</strong></li>
</ol>
</div>
<div align="left">
</div>
</div>
</div>
<div>
</div>
<div class="bold"><p>2) Contact us by email : <span class="mark">[email protected]</span>.
and <span class="mark">[email protected]</span>
In the letter include your personal ID (look at the beginning of this document)</p>
</div>
<div class="bold">
<p>3) After answering your inquiry, our operator will give you further instructions, which will be shown what to do next (the answer you get as soon as possible)</p>
<div class="bold">
</div>
<div><p>* To be sure in getting the decryption you can send 1-2 encrypted files to <span class="mark">[email protected]</span> In the letter include your personal ID (look at the beginning of this document).</p>
</div>
<div><p>** Write here on the mail for a faster response [email protected]
<div class="note alert">
<div class="title">Attention!</div>
<ul><li>Do not attempt to remove the program or run the anti-virus tools.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders are not compatible with other users of your data, because each user's unique encryption key.</li>
<li>We are not liars or cheaters. You pay - we help.</li>
</ul>
</div>
</body>
</html>������
Emails
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe"C:\Users\Admin\AppData\Local\Temp\e07901cf997d7ee67dee6184c00ab58c8aa04bfefb2cc15c17a78bdfc36bbd40.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB