Analysis
-
max time kernel
168s -
max time network
143s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 06:48
General
-
Target
711d0c7824828dc737a33233234b5b0d124450a6c55128ec18ca7cec64d883c0.exe
-
Size
52KB
-
MD5
7193e3460be793d59cfba98af8c79183
-
SHA1
887b537e30437f19d800460a94b8beaaad8b66a5
-
SHA256
711d0c7824828dc737a33233234b5b0d124450a6c55128ec18ca7cec64d883c0
-
SHA512
77912f44ba49d1b9ecf33f04d05390510d29b13b5a832855165271ddf7039cb2fdabdb98e15f87eeccb4d67fef6d0470714fa4a235e310bf732d5872c0ca262a
Score
10/10
Malware Config
Extracted
Path
C:\How_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������75 FC 92 71 8C 0C 5A B6 0B 9C C4 99 E7 E8 A7 B1
42 A5 C0 8C C4 4C 7D 6F 65 BF 2C 14 79 76 F1 3A
CA 1F FC AD B6 E0 59 FD 78 64 D3 D0 6D 3B 24 85
D2 8B 10 71 53 9A 05 69 8E B6 00 DA D1 F3 81 75
F1 1C 14 AA 4F D5 DC 8D 59 08 8F 76 82 9C F7 65
5D 0F A4 C3 EB 44 C9 70 52 3B 80 D9 50 ED 1B D4
AA 3A 42 D3 27 F9 62 D3 93 08 9D 69 24 92 D7 33
DD B8 2F 03 E9 64 06 3A 25 77 35 DD 9E 1C CD BA
51 EB 97 85 B0 B1 B4 9B 20 6E C6 36 D4 3B 00 98
1E EB 7E EC 0A 8B 16 1E 36 33 20 2B 2D 13 BC 96
C1 9F 89 13 C2 12 70 79 3A 71 3B C1 0B 14 CC 77
79 0D 6D A0 87 F3 C1 EE 47 F2 9F EA 73 FA 13 A2
2D 3C 03 68 72 58 38 B2 4F 55 AA 89 FA C9 00 5B
AB 85 F4 4E 45 1A 90 F6 87 64 F9 4A 06 9A B1 A6
34 35 B8 31 D0 1E 5E 82 6D 8D E1 14 0E D3 9B 56
CB 9A F5 9D 36 6E 06 98 60 31 EC B8 6E 6A 7D 5B
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your files are encrypted! ☠</h1>
<hr/>
<h3>To recover data you need decryptor..</h3>
<br/>
<div class="text">
<!--text data -->
To receive the decryption, you need to contact us by e-mail: </br>
<span>[email protected]</span> </br>
or </br>
<span>[email protected]</span> </br>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�����������
Emails
<span>[email protected]</span>
<span>[email protected]</span>
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\711d0c7824828dc737a33233234b5b0d124450a6c55128ec18ca7cec64d883c0.exe"C:\Users\Admin\AppData\Local\Temp\711d0c7824828dc737a33233234b5b0d124450a6c55128ec18ca7cec64d883c0.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB