Analysis
-
max time kernel
162s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
11-02-2022 06:30
General
-
Target
d656b632e882ccbfa7a788bc8ffe30fdfa41792381a3e0cca665502636996e9e.exe
-
Size
54KB
-
MD5
272f9be58344e72c2e6e3e2830330d43
-
SHA1
57fea83db550e4597113df881e846537cda03586
-
SHA256
d656b632e882ccbfa7a788bc8ffe30fdfa41792381a3e0cca665502636996e9e
-
SHA512
1825b343d89e32c379eb7d8a470f5feccc25013fb146ccc998003bb98d111d5ac45b6e3ce2a310f62aa44abad3d03de0e04f27a13d1bb2623ac17d259bf6aeef
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
<style type="text/css">
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background-color: #C1AB8F;
}
.bold {
font-weight: bold;
}
.xx {
border: 1px dashed #000;
background: #E3D5F1;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
font-size: 30px;
height: 50px;
line-height: 50px;
font-weight: bold;
border-bottom: 10px solid #D0D0E8;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
</style>
</head>
<body>
<div class="header">YOUR FILES ARE ENCRYPTED!!!</div>
<div class="note private">
<div class="title">Your personal ID</div>
<pre>���������A5 7B 9B FA 8C 78 DE C2 78 2A 35 C0 E7 64 44 7A
3C F6 69 24 42 21 3D F1 83 3B 2D 96 A3 BC 4B 95
70 77 10 BA 1B E8 6E 6F 1E FD B6 70 07 BD 1D 45
86 E3 91 E0 02 D7 90 16 A0 4C 57 8E A8 20 04 59
0F E4 BD 11 24 92 E8 6E 14 8C 11 EC 2B 00 AA 8B
7C 86 6A 7D 95 C9 42 06 82 8B 5C 3D 38 E9 EA 36
3D 02 A0 96 A8 EB D3 1C 22 A6 2A 53 09 DF A0 92
DA DC 85 51 95 16 EE 1A 48 3B DA C9 F2 F5 FD BD
9A 73 0F 46 B6 29 EA 40 4E BD 19 A0 84 C0 7D 36
84 C2 4E E1 75 3C C5 DA 77 C4 BC DD 84 9D DE 70
71 A8 9F DA CE 4D EA 23 FE A0 F1 EB 2B F4 2A 2B
E0 18 C1 51 CC EB CA 49 E0 8C FF EA CB BF F5 A6
EB 51 AB 86 C9 96 38 D3 22 A1 FD 33 0D A4 96 3F
5E 7E 31 75 05 D4 CA A3 79 8B 9C E9 FD 47 18 28
D3 7F 88 A1 15 B0 56 6E 9C D4 2A 20 FD 60 14 61
E4 A2 3A 01 4F 68 AE 23 62 EE E5 2D E8 A1 38 E1
</pre><!-- !!! CTpoкy He MeHяTb !!! -->
</div>
<div class="bold">
<div class="bold">Your documents, photos, databases, and other important data has been encrypted...</div>
<div class="bold">Data recovery requires a decoder.</div>
<div>To restore information write to technical support by <span class="mark">[email protected]</span>, in case of no answer in 24, write to <span class="mark">[email protected]</span>.
In a letter to indicate <span class="bold">YOUR PERSONAL IDENTIFIER ID! _____SAVE THIS (ID) SEVERAL COPIES, IF YOU LOSE THE KEY (ID) FILES WILL NEVER RETURN! KEEP THE KEY (SAVE ID) !!!</div>
<div class="note alert">
<div class="title">Attention!!!</div>
<ul>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders are not compatible with other users of your data, because each user's unique encryption key</li>
</ul>
</div>
</body>
</html>��
Emails
class="mark">[email protected]</span>
class="mark">[email protected]</span>
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d656b632e882ccbfa7a788bc8ffe30fdfa41792381a3e0cca665502636996e9e.exe"C:\Users\Admin\AppData\Local\Temp\d656b632e882ccbfa7a788bc8ffe30fdfa41792381a3e0cca665502636996e9e.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)