General

  • Target

    6d591daed58446c6cd8b6a324b9f57c440d2780e0dc7ff94b5d532bc9dd8a75b

  • Size

    53KB

  • Sample

    220211-hlmczsdfer

  • MD5

    0395ef8c8a5c3d27ac728a8dda4bbe47

  • SHA1

    aff10dbe0281374c05a355fdd18075186edf8e87

  • SHA256

    6d591daed58446c6cd8b6a324b9f57c440d2780e0dc7ff94b5d532bc9dd8a75b

  • SHA512

    e49a9d1e8c325ccea5e64174a5f7080e983633fc9dba3781f9582b3cb646761744f8befa504bc9ea17d65142626270533298dc6bc48da809ae8142d66daca992

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������6E B1 3C 4B 5C E2 E2 F4 00 BC 71 34 CD 39 0A F1 79 5B 86 BE ED B0 1E 93 85 95 9C 62 2D 19 46 65 67 F4 18 21 CD 6B D5 75 76 51 2D B9 A9 87 17 59 AD 6F 3A D8 F5 B5 03 BE 3D B8 D8 15 47 4C 95 0E 65 4A BD 61 5D 4E C4 1B 0A 4A A5 6F BF B7 58 95 5D 94 07 E7 83 61 70 93 53 0F A2 25 2C F7 08 FC EB 75 05 19 B9 0B BE F7 1F 4F E4 17 E7 CB CE A6 FA D0 48 87 8C C2 E2 56 A8 8B AC D5 09 3D 25 CB 0C 3F C9 8F 67 29 21 00 70 70 C3 C5 05 FD D0 F4 FB DA BF A2 1F 40 1F CF 91 64 96 87 35 49 D9 D8 C2 60 4E 64 8F 7C 93 EF 69 5E F4 68 9C B6 F8 1A B3 BE B4 EF 06 49 3C C5 01 9B DB BF 0B 23 80 A0 3D 01 EF C9 91 82 8A 6C 14 E5 B1 01 E4 B2 50 36 2E F1 EE 8E 78 B7 05 F5 B7 81 EA 9D 9B 77 5E AA A7 38 6B 03 D2 01 83 AD 14 4E 28 D7 A2 2F 99 0C 10 4C 7A 7F 3F 0C CD 49 50 87 FD 13 3D 02 18 8C </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your files are encrypted! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 test image or text file <span> [email protected]</span>.</br> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <center>Attention!</center></br> <ul> <li>Only [email protected] can decrypt your files</li> <li>Do not trust anyone [email protected]</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �������������
Emails

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������51 5F 6F FB CD 38 5A 2B 25 1C 31 54 54 69 0A 3B 6B 6B 30 1F 0E CE F8 14 9D 90 66 1E 15 5F 9E E5 24 3F 6F D8 D9 39 1E F2 83 1E 18 D3 51 8D 22 58 35 04 F1 4F 88 32 2B A1 3B 29 2C FE A8 0B 1A 62 8E 17 4E A3 3F E3 12 3E EB F4 C5 E1 BB 40 BA B9 A6 95 B1 28 88 BE 44 AA 22 ED 26 16 B9 DB 98 A6 69 0A C0 34 C7 73 75 4D 86 F1 48 1F A4 BA 5C F2 B7 E2 55 D7 4B 5F 17 1F 0B B1 35 60 06 AA 3A 82 2F 34 81 E6 43 67 93 CE 62 2C A2 14 FE 14 F6 FB 9F 0A 5E 59 97 04 67 BA 2C 01 41 EF DB AA 5E 20 0C D9 A6 20 38 6B 94 A6 D0 21 06 15 FE 51 59 6E F3 E9 3D 62 BC 0B 62 01 34 FA 03 CF 08 2C 49 E6 42 40 02 AF E2 C5 26 27 D0 C1 1F 31 6D 24 26 01 E2 49 60 21 54 23 7B 68 6E 50 E0 8A 5E 5F 11 01 C2 6E C7 E9 9B DF 22 04 2B 56 15 E6 A5 94 5D 62 21 7F F6 27 E2 AF C7 A6 CC F3 15 8D 0C 58 70 AC </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your files are encrypted! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 test image or text file <span> [email protected]</span>.</br> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <center>Attention!</center></br> <ul> <li>Only [email protected] can decrypt your files</li> <li>Do not trust anyone [email protected]</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �������������
Emails

Targets

    • Target

      6d591daed58446c6cd8b6a324b9f57c440d2780e0dc7ff94b5d532bc9dd8a75b

    • Size

      53KB

    • MD5

      0395ef8c8a5c3d27ac728a8dda4bbe47

    • SHA1

      aff10dbe0281374c05a355fdd18075186edf8e87

    • SHA256

      6d591daed58446c6cd8b6a324b9f57c440d2780e0dc7ff94b5d532bc9dd8a75b

    • SHA512

      e49a9d1e8c325ccea5e64174a5f7080e983633fc9dba3781f9582b3cb646761744f8befa504bc9ea17d65142626270533298dc6bc48da809ae8142d66daca992

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks