Analysis
-
max time kernel
159s -
max time network
23s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 06:30
General
-
Target
d656b632e882ccbfa7a788bc8ffe30fdfa41792381a3e0cca665502636996e9e.exe
-
Size
54KB
-
MD5
272f9be58344e72c2e6e3e2830330d43
-
SHA1
57fea83db550e4597113df881e846537cda03586
-
SHA256
d656b632e882ccbfa7a788bc8ffe30fdfa41792381a3e0cca665502636996e9e
-
SHA512
1825b343d89e32c379eb7d8a470f5feccc25013fb146ccc998003bb98d111d5ac45b6e3ce2a310f62aa44abad3d03de0e04f27a13d1bb2623ac17d259bf6aeef
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
<style type="text/css">
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background-color: #C1AB8F;
}
.bold {
font-weight: bold;
}
.xx {
border: 1px dashed #000;
background: #E3D5F1;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
font-size: 30px;
height: 50px;
line-height: 50px;
font-weight: bold;
border-bottom: 10px solid #D0D0E8;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
</style>
</head>
<body>
<div class="header">YOUR FILES ARE ENCRYPTED!!!</div>
<div class="note private">
<div class="title">Your personal ID</div>
<pre>���������0D BC 64 BD 85 93 08 68 1D 5D 8A A8 BC D9 EF 1D
F4 F9 E8 44 B7 7F 4D 2D 61 B0 E7 E2 49 B7 29 5E
03 F2 59 07 11 DE 55 4F 79 CF CE 0D C0 5F 83 71
56 D4 26 05 35 86 CD 6A C6 99 0D 29 3E 4A D9 12
66 70 9C 39 66 1F F3 E0 25 CA 1C 0E D2 86 19 75
08 E8 26 FD 99 6F 9E 2D 62 42 33 A5 08 7C FA B2
16 4B 44 42 1F DD CE C1 D4 3E 8F D9 5E 3F 80 CD
2D F2 3C 50 BB 27 E9 04 A3 81 29 B2 73 85 24 A5
A1 F4 2B 5C F8 1E EA A2 85 4E 53 22 A6 8C 2D 06
59 DF 59 C1 1A 5A DA 30 E8 B5 D0 EB D6 65 8D 38
51 D1 23 39 DB 5E 98 16 11 08 16 30 43 C4 CE A3
03 C9 D1 3A 5A C4 A4 C2 75 F7 EA 29 EA 2F E2 1A
2C 5B C4 E5 AD A7 E4 71 CF A2 29 BD 07 26 29 46
F2 3B AA 26 46 1C 66 C9 0A 0F 40 BF FD 8C 7D C1
75 0E 9E 1C CB AA 63 4A 7E 3A A5 9C 99 D1 D0 C1
03 38 F9 F6 D8 F6 43 74 69 38 96 B9 44 FF 3E B8
</pre><!-- !!! CTpoкy He MeHяTb !!! -->
</div>
<div class="bold">
<div class="bold">Your documents, photos, databases, and other important data has been encrypted...</div>
<div class="bold">Data recovery requires a decoder.</div>
<div>To restore information write to technical support by <span class="mark">[email protected]</span>, in case of no answer in 24, write to <span class="mark">[email protected]</span>.
In a letter to indicate <span class="bold">YOUR PERSONAL IDENTIFIER ID! _____SAVE THIS (ID) SEVERAL COPIES, IF YOU LOSE THE KEY (ID) FILES WILL NEVER RETURN! KEEP THE KEY (SAVE ID) !!!</div>
<div class="note alert">
<div class="title">Attention!!!</div>
<ul>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders are not compatible with other users of your data, because each user's unique encryption key</li>
</ul>
</div>
</body>
</html>��
Emails
class="mark">[email protected]</span>
class="mark">[email protected]</span>
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d656b632e882ccbfa7a788bc8ffe30fdfa41792381a3e0cca665502636996e9e.exe"C:\Users\Admin\AppData\Local\Temp\d656b632e882ccbfa7a788bc8ffe30fdfa41792381a3e0cca665502636996e9e.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB