Overview

overview

10

Static

static

9660202158...70.exe

windows7_x64

10

9660202158...70.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    966020215880b1f217f6c77e580a17a10e6dd9eea2e274e10d6cfd63f5b10770

  • Size

    50KB

  • Sample

    220211-hfyttsdehr

  • MD5

    29286c24f6824f8b3720bae75bc3576b

  • SHA1

    0a22b826ab4212001820d2acf1156dab927ae87d

  • SHA256

    966020215880b1f217f6c77e580a17a10e6dd9eea2e274e10d6cfd63f5b10770

  • SHA512

    6e63e72c83642319d0ff39ce2dbc671a1e8d7d0010cf52ac0edf81e5efc784f723b00ea21e7a02587ac8e27d304225f2b1712feb8e0f5f4313f4e8a3f594b4dc

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\instructions.txt

Ransom Note
YOUR FILES ARE ENCRYPTED! Your personal ID: 0B 4E 9E 23 82 5B 8F F3 44 96 EC 37 D9 0F 3B 2B 98 92 3A AD F1 DA 1C 23 FB 39 E3 07 59 75 34 00 F3 FD 81 04 E8 E9 38 55 64 EA CE 58 C0 31 91 B9 42 91 D4 20 1D B8 A8 EE 7A 86 56 F9 37 1E 46 40 34 4F 70 34 E6 29 4B 72 0D D4 A5 69 05 D5 A2 CA 60 0E E2 1B 7C 00 8B 40 3F 9C 47 5E 51 3B C4 89 C2 1C 07 47 38 23 C5 CB 34 9A 64 28 07 6F 99 11 49 22 C0 00 C2 BE B5 5C 65 52 9B 5C 5A 51 94 AD 37 2D 09 30 5B D9 CD 52 67 00 7A E4 F9 EE 80 4D 3A 88 06 D6 12 60 4B 1D 63 6A 46 75 AB 0B 19 90 7A A7 98 37 E3 D1 EA AB 45 1D 5B D8 2A 61 49 4F B8 21 EF 00 14 BA D9 4F 16 EA 60 97 20 8B 9E F7 0F 0A 5F A9 B1 64 42 DA 6F 7C E5 D8 8A 82 55 E1 F0 54 A8 3E 05 8E BA B4 AF 8C C2 F7 9D 6C 06 90 3B 0B 96 0B A9 EB 9D 1F 1F 9D 8D 80 B2 6A 57 DB 74 02 85 1F 1E 30 9A 6F 12 7D 3A E6 08 97 FF 2B Your documents, photos, databases and other important data was encrypted. To recovery files need decryptor. To get the decryptor, you need pay its cost in bitcoins. Contact us via email: [email protected] In response to the letter You will receive payment instructions from the decryptor. After receiving the money, we will send you decryptor and help you fix vulnerabilities in your server. In addition, we can decrypt one file free as evidence of the work of the decryptor. Attention! * Do not attempt to remove a program or run the anti-virus tools * Attempts to decrypt the files will lead to loss of Your data��

Extracted

Path

C:\instructions.txt

Ransom Note
YOUR FILES ARE ENCRYPTED! Your personal ID: 61 4C 34 2B 9A 40 4B 1F F4 43 BF C5 C4 30 B6 1B 86 88 E3 69 B4 EA 23 3E 4A 86 9E 60 81 55 7F A4 14 D1 37 68 73 5F 12 8B FD 49 FA 09 45 67 E6 E6 0A 00 76 8E A7 20 46 54 C0 FD 26 2B 61 F0 4C B0 16 43 49 B2 87 F3 64 5B F3 12 02 8A AB 98 08 50 59 8A 33 CA AD 8E EF 64 38 1A 8F 70 95 3F C0 97 35 56 7B 41 BD EA 72 A6 09 18 C9 10 9E EC 70 7E 83 94 6C 1A E5 82 DB 4B 29 10 0B 83 63 F5 15 A8 23 51 B3 96 BA 59 0B AE 23 24 6C 84 D8 E7 24 C8 63 E5 F3 3E 55 40 94 EC FA 09 B9 CE 3F 35 11 BC F0 CB 0F 3A 52 0C E7 41 E7 E2 E1 E3 BF B8 3B 38 05 CB 7D 80 45 B8 B5 DC E3 75 0C D1 F6 91 83 96 3C 93 E1 5E C3 84 7F 00 C2 0B 6A 30 AF 78 83 5A 94 12 DB 80 37 93 38 68 48 33 A0 4F DF F0 F6 03 D8 24 B2 59 A4 8C 03 5E DA A8 A1 82 78 A7 F6 1B D0 76 09 B0 B0 0C 83 F7 BE 55 22 EE 94 28 40 0A Your documents, photos, databases and other important data was encrypted. To recovery files need decryptor. To get the decryptor, you need pay its cost in bitcoins. Contact us via email: [email protected] In response to the letter You will receive payment instructions from the decryptor. After receiving the money, we will send you decryptor and help you fix vulnerabilities in your server. In addition, we can decrypt one file free as evidence of the work of the decryptor. Attention! * Do not attempt to remove a program or run the anti-virus tools * Attempts to decrypt the files will lead to loss of Your data��

Targets

    • Target

      966020215880b1f217f6c77e580a17a10e6dd9eea2e274e10d6cfd63f5b10770

    • Size

      50KB

    • MD5

      29286c24f6824f8b3720bae75bc3576b

    • SHA1

      0a22b826ab4212001820d2acf1156dab927ae87d

    • SHA256

      966020215880b1f217f6c77e580a17a10e6dd9eea2e274e10d6cfd63f5b10770

    • SHA512

      6e63e72c83642319d0ff39ce2dbc671a1e8d7d0010cf52ac0edf81e5efc784f723b00ea21e7a02587ac8e27d304225f2b1712feb8e0f5f4313f4e8a3f594b4dc

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks