Analysis
-
max time kernel
183s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
11-02-2022 06:39
General
-
Target
a647a99d0980da409a439c9695cf17b75b18b13679e00cb015d552d998cbc891.exe
-
Size
53KB
-
MD5
abeb80f78b13f072b5da2321ef7c2772
-
SHA1
e38725e02e163342cd5612f1eeab2c9782f4650e
-
SHA256
a647a99d0980da409a439c9695cf17b75b18b13679e00cb015d552d998cbc891
-
SHA512
639571e3c81154289ae5f25ed078ad4240af5f3cb23032e45a0ae64bfef9ee0925f9c19a2f276094a25fa46d138f80fdbe1ced950882f9466cc76543e0a8af3d
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������42 0A 75 A3 91 F0 B0 DA F7 EE 68 64 C7 BE 59 F1
0C 2E 08 81 19 5D 88 67 26 F6 FD C4 ED 7C 1A 0E
59 F0 D3 FA 2C DE F1 CA F0 1C FB 75 2D 38 B4 22
1E 8F AE 6E 08 F0 6B 6A 0B 97 0E 21 2A C3 44 CF
7A F1 46 38 73 DB 40 2E 2D 80 59 A9 A9 62 D0 A8
0C 47 1D 0F 1E E6 13 11 3A 5B FC 2E 74 E1 FA A6
9A C0 3F BA 58 44 45 F2 F8 14 7F E0 50 35 22 45
0B D0 3B 59 D1 18 5E 97 9A 54 95 9D 59 D7 9E 8E
CD 01 93 CD 0A 5A E9 C0 86 C1 9B D0 55 B0 74 DD
48 E8 08 63 16 D3 4F 47 9B B6 5F 46 76 0D 50 7F
C5 68 D3 85 8A 8F 3E A9 C3 D6 01 A7 82 A2 EF EB
FA B8 4B EC 1A C8 18 CD CA 0B 9D 24 AB 7C 7F 37
AA E0 EE 1E 44 2C BD 7F 1B 6B 25 0A ED FA F7 B8
B0 EB 57 DF C1 2F F0 B2 F0 C3 92 E0 9B CF 0C E5
C9 A0 48 A6 07 C6 EF 82 5F EA 53 E3 11 0F 33 45
EA 65 7B AF C4 C7 66 2F 6F 35 6B 32 64 CA 66 8E
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected]">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
href="[email protected]">[email protected]</a>
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 17 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 42 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a647a99d0980da409a439c9695cf17b75b18b13679e00cb015d552d998cbc891.exe"C:\Users\Admin\AppData\Local\Temp\a647a99d0980da409a439c9695cf17b75b18b13679e00cb015d552d998cbc891.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Modifies data under HKEY_USERS