Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
167s -
max time network
140s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11/02/2022, 06:55
General
-
Target
55b0a25f8e1ada853b053706965c002531cbd02dda152fbe5d218f388ada4ee6.exe
-
Size
53KB
-
MD5
9f5d9e2b4ebb9ffe10ca665bd3007562
-
SHA1
0df95c2a55d2bda33693dd5cb5b7998aeeb28106
-
SHA256
55b0a25f8e1ada853b053706965c002531cbd02dda152fbe5d218f388ada4ee6
-
SHA512
f4ea991a1ae5166a1f334bd039f393928464fae2f08423c0f2158c8619999dfc6f1d144bd919ee90df2f35ad1b0ee28289c84d7c3bcba4631d464dd0b29e68d3
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<div>��9C 14 97 E0 2F 00 A2 08 C3 74 BF 55 21 5A 4F 84
8A 74 38 D1 61 76 C1 F0 CE 5D F2 23 E9 2E 30 C3
BE FF 8B A2 33 2D 9A FE 8D E6 5E 64 E8 5D 2E 14
BC 9D B4 4C 37 85 E4 D2 7F F9 78 3D 4C F7 D3 EF
8F 9C 80 39 6E 9D 4A AD 7A 8C F1 77 B7 38 99 2B
61 FD 55 8D 59 68 64 59 AE 06 99 8C 4A 48 D9 61
23 20 4F 9A 29 83 77 AB 89 BA 3B 11 08 B2 0A 5D
36 5A A5 3E E6 90 82 B4 CD AE 64 57 17 EA BC 4A
0F 52 59 5A 1D 05 16 5F 5F 1E 3D C1 79 97 1E F8
4B E3 BE 26 46 6D 39 6D F6 AF 91 D7 60 26 11 13
9F 9B 6D 5F DA DF 2F 7C 9A 8B FA 73 66 2A A5 C7
9B 4E 96 BD F0 4E 17 58 5F B1 7D E9 BB CA BA 4A
87 81 1F 5D 19 95 0E F4 DA F1 3D B6 DA D1 D4 97
72 A0 F3 43 DE C5 8A 8D F5 A3 90 D4 68 25 AF 8F
B5 62 CC 7B 33 8B 06 97 DA 97 76 BE F4 1A EE 1A
FF B4 66 6F CF E1 C4 31 47 68 45 09 3C 10 B9 4B
</div><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab2" />
<label for="tab2">ENGLISH</label>
<div id="tab-content2" class="content">
<h1>Hello.</h1>
<hr/>
<br/>
<div class="text">
<!--text data -->
All your files have received a secret permission.</br>
To remove this permission and restore all data you need:</br>
</br>
Send 1 image or text file (less than 1mb) to mail <strong>[email protected].</strong></br>
In the message include your personal ID (look at the beginning of this document).</br>
</br>
In the response message we will send the recovered file and further instructions for recovery.</br>
Alternative communication channel - website http://bitmsg.me</br>
Write the letter to the address : <strong>BM-2cUbAcJjMBqJxq9S6dDQZS5KaAhRmygtur</strong></br>
</br>
Attention!</br>
</br>
If you have not received a response to your message more than 48 hours, use bitmsg.me</br>
Attempts to run the anti-virus tools will result in the loss of your data</br>
Attempts to self-decrypting files will result in the loss of your data</br>
Decoders other users are not compatible with your data, because each user has a unique key</br>
</br>
Attention!
</br>
</br>
Payment is made only by bitcoins.</br>
If you have no bitcoins</br>
* Create Bitcoin purse: https://blockchain.info</br>
* Buy Bitcoin in the convenient way</br>
https://localbitcoins.com/ (Visa/MasterCard)</br>
https://www.buybitcoinworldwide.com/ (Visa/MasterCard)</br>
https://en.wikipedia.org/wiki/Bitcoin (the instruction for beginners)</br>
====================================================================================================</br>
<!--text data -->
</div>
</div>
</div>
</div>
</body>
</html>
�����������
Emails
<strong>[email protected].</strong></br>
URLs
http://bitmsg.me</br>
https://www.buybitcoinworldwide.com/
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\55b0a25f8e1ada853b053706965c002531cbd02dda152fbe5d218f388ada4ee6.exe"C:\Users\Admin\AppData\Local\Temp\55b0a25f8e1ada853b053706965c002531cbd02dda152fbe5d218f388ada4ee6.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB