Analysis

  • max time kernel
    188s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    11-02-2022 06:29

General

  • Target

    d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe

  • Size

    55KB

  • MD5

    23b44cb7a0d570fa54e4dcf7788a72bd

  • SHA1

    fb6a014753ab7315d17bbfcc724df65fdffd3b0f

  • SHA256

    d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519

  • SHA512

    535ec0818f0c43845cdf43f8d7c01267d918ce98d0677c625b4508b275a7ffcc13275cb1e8713a34aa14142c31e1a283df2ea62484573c8c120975f5e3204f0a

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <div>��6A 90 4A 53 59 DB E7 D9 DA 18 34 BE B0 D3 D2 1F F5 78 DA B5 B4 73 11 09 20 28 20 A4 AB 76 C1 7F 56 55 EC C4 FC 67 DF D9 CD 14 DC 54 7C 8B E5 4C 0B E9 2D 83 A3 69 0D D7 91 7D 2F C3 E6 5A 04 2B 4B 07 A3 E0 50 BA 53 8E 5A FF 71 24 9D E1 50 07 96 D2 7F 77 52 DA EA 69 D9 EE 9E E6 17 79 85 A8 D6 65 4E 74 0D 2D 62 39 D6 37 B1 5B 18 D5 77 7E B9 61 B2 52 C6 5C 35 8F 3A C3 AD 5E 35 5F 0F 68 16 09 B3 DF 00 B6 0C 4C 37 55 A9 C5 C9 61 D9 71 55 40 60 B6 2C EF C4 BC 38 45 64 44 8B 4E 77 11 2B 75 F3 0C E1 5C 3F 6C 02 DB 19 04 0B A4 25 CB 47 AB 6B 36 04 BA FA BC 09 19 DF 22 5A 93 AC EA FC B9 CA BC 82 9A 08 63 67 1A 80 52 28 D0 C1 20 DC 9F 98 7E C1 FC 90 0C 46 E0 C6 76 EB 60 F4 B5 E4 E8 80 88 40 3F 17 C3 47 18 56 E7 84 A5 3C 80 52 E7 A3 6B 10 76 C4 1E 19 9C 1F 91 0D 58 5D 6C </div><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab2" /> <label for="tab2">ENGLISH</label> <div id="tab-content2" class="content"> <h1>Hello.</h1> <hr/> <br/> <div class="text"> <!--text data --> Your files, documents, photo, databases and all the rest aren't <strong>REMOVED.</strong> </br> They are ciphered by the most reliable enciphering.</br> It is impossible to restore files without our help.</br> You will try to restore files independent you will lose files</br> <strong>FOREVER.</strong></br> ----------------------------------------------------------</br> You will be able to restore files so:</br> <ol> <li>to contact us by e-mail: [email protected] </br> * report your ID and we will switch off any removal of files </br> (if don't report your ID identifier, then each 24 hours will be</br> to be removed on 24 files. If report to ID-we will switch off it)</br></br> * you send your ID identifier and 2 files, up to 1 MB in size everyone.</br> We decipher them, as proof of a possibility of interpretation.</br> also you receive the instruction where and how many it is necessary to pay. </li> <li>you pay and confirm payment.</li> <li>after payment you receive the <strong>DECODER</strong> program. which you restore <strong>ALL YOUR FILES.</strong></li> </ol></br> ----------------------------------------------------------</br></br> You have 72 hours on payment.</br></br> If you don't manage to pay in 72 hours, then the price of interpretation increases twice.</br> The price increases twice each 72 hours.</br></br> To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours.</br> Address for detailed instructions e-mail: [email protected]</br></br> * If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour.</br> * If you try to decipher - you can <strong>FOREVER</strong> lose your files.</br> * Decoders of other users are incompatible with your data as at each user unique key of enciphering</br></br></br> ------------------ P.S. ---------------------------------</br> If it is impossible to communicate through mail</br> * Be registered on the website http://bitmsg.me (service online of sending Bitmessage)</br> * Write the letter to the address BM-2cX2Teys9abNFqaTUDvoCSHzDHNZLg7kkH with the indication of your mail and</br> the personal identifier and we will communicate.</br></br> If you have no bitcoins</br> * Create Bitcoin purse: https://blockchain.info</br> * Buy Bitcoin in the convenient way</br> https://www.buybitcoinworldwide.com/united-states/ (Visa/MasterCard)</br> https://en.wikipedia.org/wiki/Bitcoin (the instruction for beginners)</br></br></br> - It doesn't make sense to complain of us and to arrange a hysterics. </br> - Complaints having blocked e-mail, you deprive a possibility of the others, to decipher the computers.</br> Other people at whom computers are also ciphered you deprive of the <strong>ONLY</strong> hope to decipher. <strong>FOREVER.</strong></br> - Just contact with us, we will stipulate conditions of interpretation of files and available payment, </br> in a friendly situation.</br> ---------------------------------------------------------</br></br> <!--text data --> </div> </div> </div> </div> </body> </html> �������
Emails
URLs

http://bitmsg.me

https://www.buybitcoinworldwide.com/united-states/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 13 IoCs
  • Drops file in Windows directory 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe
    "C:\Users\Admin\AppData\Local\Temp\d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:4308
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4376
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1360

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4376-130-0x0000027741530000-0x0000027741540000-memory.dmp

    Filesize

    64KB

  • memory/4376-131-0x0000027741590000-0x00000277415A0000-memory.dmp

    Filesize

    64KB

  • memory/4376-132-0x0000027744290000-0x0000027744294000-memory.dmp

    Filesize

    16KB