Analysis
-
max time kernel
170s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 06:29
General
-
Target
d731b9c7568d50b705877846eea91e295ff2d8c221138cca12dc5130783a29ab.exe
-
Size
53KB
-
MD5
c3aa8463eb752430593ac2afb67afecd
-
SHA1
2bf66912f871e631631ea3491d6e57c596893643
-
SHA256
d731b9c7568d50b705877846eea91e295ff2d8c221138cca12dc5130783a29ab
-
SHA512
ad95687b882f55daad7742ce5ce4229f3ce9a9794f6c54cde6b5f781da5c1a85f88cb998afa6c3b72bb105051be8d3a2017a6a1785e5c7a7418eb2f8d36f1c4b
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css">
body {
background-color: #252525;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #1C1A1B;
}
.letter {
color: #FF0000;
font-weight: 600
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #1C1A1B;
color: #F1EADA;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #F1EADA;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #1C1A1B;
color: #F1EADA;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #1C1A1B;
color: #E29F12;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head"><h3>Your personal ID</h3></div>
<div class="identi">
<pre><span class="letter">
<pre>36 DA A6 99 E5 7E A6 EC 29 ED 45 4F 0B 02 60 56
3C A6 9D 5E 91 A1 3B C6 F0 D0 96 AD 67 1D 9D 08
9D D4 8B A0 E4 5F 2D 13 34 B2 8A C2 D3 EA E1 45
B3 39 43 65 D1 7E D6 63 1E 34 B3 12 C1 39 E0 38
EA 35 EB 57 CD ED 74 92 5A 65 54 C0 0F 5A 2E E0
F0 BD 44 1F E3 A8 DF C8 23 B0 65 EA B8 A8 29 51
81 4E F5 2C A4 A5 35 8F CC D3 76 C4 70 43 3F FC
CC 1D 7D 85 3D F8 74 9A 03 FD F5 A5 E9 19 83 7D
D3 79 3C 05 13 44 38 21 84 F4 31 A5 BA 09 5F 9B
21 53 41 1F 12 D2 3A 0D 1A A0 46 FB 95 F5 C9 0B
43 9E 55 34 5D A3 4B 7F B6 8D 57 00 56 A3 49 F1
BE 0C 26 31 0B B3 90 27 6A 8C 5E 03 70 07 99 9D
ED C7 9F 21 75 6C 46 A3 77 57 B5 F8 F4 A8 CE 52
13 A1 27 87 AB 0D 4B 19 E1 89 A2 F2 81 F2 F7 E4
9B 3E 13 B4 EB 2A 69 87 9A 85 5E 8C E8 4B B7 F8
41 29 09 5B B3 B7 28 2D 45 11 98 AA F5 A7 F4 2C
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<h3> To decrypt, follow the instructions below. </h3>
<br>
<div class="text">
<!--text data -->
To recover data you need decryptor.<br>
To get the decryptor you should:<br>
<p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br>
(Or alternate mail <span class="letter">[email protected]</span>)</p><p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file as proof and assign the price for decryption all files.<p></p>
After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br>
<p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center>
<hr color="#ffff66">
<center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors.
</b></p></center>
<hr color="#ffff66">
<ul>
<li>Only diesel_space proof can decrypt your files.</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders other users are not compatible with your data, because each users unique encryption key.
</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
������
Emails
[email protected]</span><br>
class="letter">[email protected]</span>)</p><p>
URLs
http-equiv="Content-Type"
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d731b9c7568d50b705877846eea91e295ff2d8c221138cca12dc5130783a29ab.exe"C:\Users\Admin\AppData\Local\Temp\d731b9c7568d50b705877846eea91e295ff2d8c221138cca12dc5130783a29ab.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB