Overview

overview

10

Static

static

767d78b37c...37.exe

windows7_x64

10

767d78b37c...37.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    159s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    11-02-2022 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    767d78b37cf4e079adb1f52d86846d77af853bbf0489b43df9b73d0e3dce5337.exe

  • Size

    53KB

  • MD5

    35143587f761112c666f579ee0d8c025

  • SHA1

    b0453a61945fafda4b7d538d17d7dec3495f2bba

  • SHA256

    767d78b37cf4e079adb1f52d86846d77af853bbf0489b43df9b73d0e3dce5337

  • SHA512

    6ccaf52a2f82bfd08926349e59c84973037eff9a5ace4cb84c359193687f16251317f602ef844ada680ab6935d2b712b877f3f8c2f4ea7276347db08f24c9806

Score
10/10
globeimposterpersistenceransomware

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <style type="text/css"> body { background-color: #252525; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 5px; color: #FF0000; background: #1C1A1B; } .letter { color: #FF0000; font-weight: 600 } .tabs1 .identi { margin-left: 0px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #1C1A1B; color: #F1EADA; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #F1EADA; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #1C1A1B; color: #F1EADA; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top:0; background: #1C1A1B; color: #E29F12; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head"><h3>Your personal ID</h3></div> <div class="identi"> <pre><span class="letter"> <pre>3C A1 25 0E 9F EE B9 EA C2 52 13 03 BF C7 54 39 9F B2 65 93 88 8A FB 82 63 4B FC 4D 0E C4 E4 8D F3 4A E0 96 20 B8 18 A9 59 31 81 7F B3 76 09 B9 87 25 5E EA E6 0F 08 3F 46 E4 C0 9C 3F E7 50 D3 DE F7 6F F5 FC 11 FA BD 01 3F B8 0E 32 54 0F BB C4 DB AC 58 AE 98 DD 42 31 94 FF 80 17 33 BA A8 F3 BA 9F F2 B2 0B A5 24 55 61 9A 1A 1F 90 13 19 A4 68 08 8D 06 58 61 2C D1 87 90 15 F6 07 BE 19 D8 45 29 44 C9 97 6E 02 2A 07 B6 BF 1E A1 87 3F 0F 0B 4A C2 2E 9D 20 88 63 AF 99 42 76 11 31 AE 50 56 6C F9 DF 4A 78 2D 45 79 20 77 9A 87 28 68 2A 19 C9 A6 F3 D7 CA 4E 88 5E 70 02 24 CA 5B 4A DB 94 25 66 D2 27 58 15 1F 01 AF 9F 3E 5F 83 C6 4E 75 65 D0 85 7A 70 8D 6C 00 CE 6F 09 7A 3F 09 C1 76 ED AE 96 4B 2E 5A F4 F7 A5 99 5F 31 00 63 19 0A 53 C2 1A 67 5A BD 15 21 83 1A 28 DA 64 C9 </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760 Your files are encrypted! &#9760</h1> <h3> To decrypt, follow the instructions below. </h3> <br> <div class="text"> <!--text data --> To recover data you need decryptor.<br> To get the decryptor you should:<br> <p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span><br> (Or alternate mail <span class="letter">[email protected]</span>)</p><p> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file as proof and assign the price for decryption all files.<p></p> After payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder..<br> <p> <center><b><p style="color: #ffff66;">MOST IMPORTANT!!!</p></center> <hr color="#ffff66"> <center><p style="color: #ffff66;"> We are ready to work through intermediaries and guarantors. </b></p></center> <hr color="#ffff66"> <ul> <li>Only skunk_girl with proof can decrypt your files.</li> <li>Antivirus programs can delete this document and you can not contact us later.</li> <li>Attempts to self-decrypting files will result in the loss of your data.</li> <li>Decoders other users are not compatible with your data, because each users unique encryption key. </li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �������
Emails

[email protected]</span><br>

class="letter">[email protected]</span>)</p><p>
URLs

http-equiv="Content-Type"

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Modifies extensions of user files 14 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 16 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 49 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\767d78b37cf4e079adb1f52d86846d77af853bbf0489b43df9b73d0e3dce5337.exe
    "C:\Users\Admin\AppData\Local\Temp\767d78b37cf4e079adb1f52d86846d77af853bbf0489b43df9b73d0e3dce5337.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:2528
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:3840
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:776
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k wusvcs -p
    1⤵
      PID:1260
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3264
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3264 -s 4420
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        PID:3128
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 408 -p 3264 -ip 3264
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:3192

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads