Overview

overview

10

Static

static

765986adf5...6a.exe

windows7_x64

10

765986adf5...6a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    11-02-2022 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    765986adf512bc085a16fc6043e2867b591e4ff177cb814e658e4041a57eeb6a.exe

  • Size

    51KB

  • MD5

    2692c25d30fcf69479ec57f07c34dfc4

  • SHA1

    ffe82e80f65d548195afb67da3d4c592d96ca3c2

  • SHA256

    765986adf512bc085a16fc6043e2867b591e4ff177cb814e658e4041a57eeb6a

  • SHA512

    4e000993d203372fee742bec8b1b5ec938e0b0d5e9b5cad4590ef0df215f465696c64d58cfabd914f91e92f81bdb37fae092758dd0e90204b67f4b66e88d6b1c

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Read this message.txt

Ransom Note
*** IF YOU WANT TO GET ALL YOUR FILES BACK, FOLLOW THE INSTRUCTIONS *** No files have been deleted or copied from your computer. All your files have been encrypted with a complex algorithm. All your files have been encrypted due to a security problem with your PC. Your personal key : ---BEGIN PERSONAL KEY--- �������A4 19 6B 23 72 6F AF E4 4F 83 22 7D 6D 9B 06 F2 AF A6 68 0C CD C6 20 4A 6D A0 62 C8 94 CD F0 E6 09 4E 19 6D EF B5 D4 D5 07 99 7D B5 BC D6 4D E9 BB 67 43 99 CD C2 B7 D6 12 2D 70 1A B2 E7 A2 C3 77 73 58 CC AC 78 EA F9 33 F1 75 B8 5C 2C E2 73 7A 28 A9 C5 16 20 14 61 0B 7A D6 F2 24 10 71 1D A7 82 2C 24 4C CB 9D 61 AF 40 0C 09 E9 2A 1A 82 60 E8 ED AC 2B 95 66 A5 B5 FF 65 EE 14 AD 51 D9 46 ED A6 8A 49 0F 41 91 84 1B 90 18 E4 E8 A3 A4 6C 1A 06 54 48 94 69 5B B4 EF 19 72 43 38 8C C0 C7 0A 0A 73 55 D0 FE D9 F5 8A 54 F1 10 15 BD 5D 47 7F BC D0 4A 1B 5D FF 57 04 56 DE 00 D2 3B BF C7 C3 1F 89 5F 9F 7D 1C 5A 03 38 FE 57 19 CF A7 F1 89 11 27 50 94 51 9D 89 82 CC FB 97 AB 0D 79 30 DD BC 03 73 27 FA 73 08 80 F8 73 69 BE 08 A6 F1 D1 98 F2 F6 71 ED 08 3C A2 97 DD 8A 24 45 04 ---END PERSONAL KEY--- What to do next to restore all your files? follow the instructions below. 1. Calm down. Pull yourself together. Everything will be fine. Follow the instructions. 2. Send to the mail [email protected] And [email protected] Your personal key. It's also worth to send your internal IP address (you can find it using the service whatismyipaddress.com). 3. Wait for the answer of our operator (response time 3-6 hours). Next, you will receive further instructions for file recovery. - Free decryption of files as a guarantee! - Send us 3-5 encrypted files. - The total size of files must be less than 5 Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). *** If you do not receive a reply within 6 hours, create an account on Gmail.com and try again. or just check your email spam. Attention !!! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 27 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\765986adf512bc085a16fc6043e2867b591e4ff177cb814e658e4041a57eeb6a.exe
    "C:\Users\Admin\AppData\Local\Temp\765986adf512bc085a16fc6043e2867b591e4ff177cb814e658e4041a57eeb6a.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:1340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1340-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

    Filesize

    8KB

    Download