Analysis
-
max time kernel
164s -
max time network
24s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 06:48
General
-
Target
70d29f6fc320559deb47a7debb9c046dcc4c48e6e6e36bc9f7adc616fa7105ef.exe
-
Size
55KB
-
MD5
57e0e19cfa2a57cb098965e8d2d50b78
-
SHA1
1b0907887b46a910612ec738108f635a7c8812aa
-
SHA256
70d29f6fc320559deb47a7debb9c046dcc4c48e6e6e36bc9f7adc616fa7105ef
-
SHA512
e660613643fef2a57d4a8e3a4316b7b6c198e8d06d7faa8f6cb010c2c016c114b271f39ec293a39ff27eab3f4c973fd48e77e6a9e1df757ff85666b477b0eca0
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
<style type="text/css">
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background-color: #C1AB8F;
}
.bold {
font-weight: bold;
}
.xx {
border: 1px dashed #000;
background: #E3D5F1;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
font-size: 30px;
height: 50px;
line-height: 50px;
font-weight: bold;
border-bottom: 10px solid #D0D0E8;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
</style>
</head>
<body>
<div class="header">Your files are encrypted!</div>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>77 57 BD 0D 44 5E 34 E2 2B 17 45 A5 A7 1E 49 51
AB 44 0B 7D BA B2 8F BC 4B D3 53 2C 43 66 91 0A
F6 70 8A B3 4C 8B 75 DF 1D 2F 97 87 62 BD 3F 74
24 1B F4 E2 54 A6 8D E4 5F 0B 2C 7D 52 ED F5 3D
9D 97 8F 8C 77 D3 CB CC EE 30 03 CF E7 68 C1 0C
E9 76 E1 4D 49 71 D6 71 D2 8C E8 38 E3 F1 5F A6
51 69 9F D1 05 DD F1 CB FC 25 58 63 14 4A E7 65
9D B4 FF FC 1A D0 85 C4 AC 22 3F F4 8E 53 E3 A8
F2 E2 75 00 19 B4 13 AB DC 70 D9 00 44 6C E9 EB
65 9F 5F 5F 18 AE 30 96 C7 48 9F 4E 40 00 48 97
9A 33 D7 57 D9 02 75 6A 57 BA B1 A2 31 E0 EA 64
88 D6 DB 22 F8 C5 B1 5D F4 12 39 23 67 4B FF 53
D3 B1 DE 39 5C 98 EE CB 9D FB 47 0D EE 5F 99 80
E7 92 C0 98 A4 CF B5 F3 C1 91 56 A0 D1 28 0C 80
F1 C5 4E 4D C6 9B 15 49 5D C2 A0 74 07 16 F2 BB
AD F2 40 B8 9A 3F F5 44 D2 5E 50 C5 E1 2D C0 7C
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div class="bold">
<div align="left">Your important documents, databases, programs, saving games, documents,
network folders are encrypted for your network security problems.</div>
</div>
<div class="bold">No data from your computer was not stolen or removed.</div>
<div class="bold">To restore your files, follow the instructions.</div>
<div>
<h2 align="left">How to get the automatic decryptor:</h2>
<div class="bold" align="left">1) Create a Wallet and buy Bitcoins </div>
<div class="note xx">
<div align="left">
</div>
<div align="left"> <strong>Create Bitcoin Wallet of these sites:</strong> </div>
<li><strong>https://blockchain.info/wallet</strong></li>
<div align="left"> <strong>Buy BTC on one of these sites:</strong> </div>
<div align="left">
<ol>
<li><strong>https://localbitcoins.com</strong></li>
<li><strong>https://www.coinbase.com</strong></li>
<li><strong>https://www.bestchange.com</strong></li>
</ol>
</div>
<div align="left">
</div>
</div>
</div>
<div>
</div>
<div class="bold"><p>2) Contact us by email : <span class="mark">[email protected]</span>.
and <span class="mark">[email protected]</span>
In the letter include your personal ID (look at the beginning of this document) and ip-address of the computer on which the files are located.</p>
</div>
<div class="bold">
<p>3) After answering your inquiry, our operator will give you further instructions, which will be shown what to do next (the answer you get as soon as possible)</p>
<div class="bold">
</div>
<div><p>* To be sure in getting the decryption you can send 1-2 encrypted files to <span class="mark">[email protected]</span> In the letter include your personal ID (look at the beginning of this document).</p>
</div>
<div><p>** Write here on the mail for a faster response [email protected]
<div class="note alert">
<div class="title">Attention!</div>
<ul><li>Do not attempt to remove the program or run the anti-virus tools.</li>
<li>Attempts to self-decrypting files will result in the loss of your data.</li>
<li>Decoders are not compatible with other users of your data, because each user's unique encryption key.</li>
<li>We are not liars or cheaters. You pay - we help.</li>
</ul>
</div>
</body>
</html>
Emails
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 26 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\70d29f6fc320559deb47a7debb9c046dcc4c48e6e6e36bc9f7adc616fa7105ef.exe"C:\Users\Admin\AppData\Local\Temp\70d29f6fc320559deb47a7debb9c046dcc4c48e6e6e36bc9f7adc616fa7105ef.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB