Analysis

  • max time kernel
    169s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    11-02-2022 06:56

General

  • Target

    52c1025eada8282232f4c1a9dc6e8579ddf5ed3ee3863884fc923d794cd93975.exe

  • Size

    55KB

  • MD5

    a93cf155e739fad41812e66fdce6dc2d

  • SHA1

    9168c5220cc1e79ac900b99cf72273e5d3df58eb

  • SHA256

    52c1025eada8282232f4c1a9dc6e8579ddf5ed3ee3863884fc923d794cd93975

  • SHA512

    69dfdee6d06c08888cb232c728e0b476581e408234af365b7907a3f89a172dc1529b5eec92c8451c4e990e9c7349a8bda104f5016ef83a11d441465050e7e015

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 5px; color: #FF0000; background: #303030; } .tabs1 .identi { margin-left: 0px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top:0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>��43 AE 62 CF 92 54 81 5C FC 63 35 07 07 AE 1A 78 35 82 32 E6 1D 45 8C 7D 83 E6 D3 6A 06 74 07 EF 16 4F 6B B4 06 1F C9 CF 13 49 EA 4F E0 52 03 38 82 C8 C9 6F 8E 02 F4 75 FF A9 B9 A0 42 FE A2 EE 0D 0F 74 4A 3E 81 65 89 EC 9E E5 1A 96 99 82 2C F1 7D 47 A5 BB DF 99 BB DA C8 B8 B6 5F 8F 52 5C E9 9D A0 CC DD 53 AC BC 55 3A D3 11 21 04 D8 DC E6 97 3A C5 BF F4 44 55 1B BE A2 E3 3D EC E3 DD 1F 8D 3E 34 45 93 2C 33 C3 92 CB 3C ED A6 75 F1 11 D6 96 A3 B8 9B D4 3E 93 2F E3 8F C4 6C A7 8A 04 4F 43 D2 79 17 5B 0D 61 DB C6 96 F1 A3 73 A5 E7 68 1B 11 60 70 5F B5 88 9E 36 88 72 F0 96 9D EF 64 AE A3 EC AD 00 FA 57 DF 1A 06 23 CD C4 E8 2D F8 96 0F 81 08 25 D9 66 A8 6E 9F 07 46 54 C6 0B B2 DD BE B0 73 CB C0 97 AA 93 C1 39 66 C3 F6 B6 34 1B EF 98 D5 A4 D5 F7 27 D4 5D BD A8 A8 9C </p> </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9763; Your files are encrypted! &#9763;</h1> <hr/> <h3> &#11015 To decrypt, follow the instructions below. &#11015 </h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 crypted test image or text file or document to <span> <font color="FF0000"> [email protected] </font></span></br> (Or alternate mail <font color="FF0000"> [email protected] </font>)<p> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <hr color=red> <center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center> <center><p style="color:#FF0000"> Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except [email protected], will decrypt your files.</p></center> <hr color=red> <ul> <li>Only [email protected] can decrypt your files</li> <li>Do not trust anyone besides [email protected]</li> <li>Antivirus programs can delete this document and you can not contact us later.</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ��������������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 9 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\52c1025eada8282232f4c1a9dc6e8579ddf5ed3ee3863884fc923d794cd93975.exe
    "C:\Users\Admin\AppData\Local\Temp\52c1025eada8282232f4c1a9dc6e8579ddf5ed3ee3863884fc923d794cd93975.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:3216
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2052
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:5016
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3700
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    1⤵
      PID:4036
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
      1⤵
        PID:4984

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2052-130-0x000001D35E130000-0x000001D35E140000-memory.dmp

        Filesize

        64KB

      • memory/2052-131-0x000001D35E190000-0x000001D35E1A0000-memory.dmp

        Filesize

        64KB

      • memory/2052-132-0x000001D360EA0000-0x000001D360EA4000-memory.dmp

        Filesize

        16KB