Analysis
-
max time kernel
166s -
max time network
137s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 06:58
General
-
Target
49aa8d1f521651cb6cc21555dbd38d320fa273dff66b9c743556fde2497deb02.exe
-
Size
53KB
-
MD5
2b91e153bb8d6fa628c051bfe09084e2
-
SHA1
b24ead009c7e413f8313bfde0b7137ff8fdf3e28
-
SHA256
49aa8d1f521651cb6cc21555dbd38d320fa273dff66b9c743556fde2497deb02
-
SHA512
5e6a40f4ac0ac01ca6793ce6fb9d1133e9d9662e80ec77d91b901a598c28cf6a1ccec44cd74bca356211941edce2cb77e68c996481a3a20dd499027536461392
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������38 5F F1 2C 45 9D 01 A6 97 0D DB 7B 1C 3E DB C3
73 05 F8 8D 34 6B 65 B5 5E 16 2F F4 2C D7 B5 6F
82 E0 86 92 AB 34 77 6C F5 CE 5A DC 95 36 C5 41
4C CC 6D F7 61 28 BE 0D 55 61 29 94 96 34 96 9E
4A C8 27 14 B4 47 34 B2 9B 15 D8 FA 74 74 10 D9
52 51 36 26 A2 CE 57 F8 48 FC B9 14 90 C0 F5 F4
CF C4 EB D4 28 34 C3 A8 FD 1E 18 38 04 8F 5D F0
F4 F5 BD 11 E9 54 67 2F 57 AF 5C 82 D1 82 F4 9D
1B 77 2E 7C 95 CA 02 3C 8B 51 67 BE 1C 46 44 39
E6 CB 02 6A 77 86 95 36 96 19 7A 5C 99 3B 06 A0
8A FC 03 FE 5F F8 71 96 F8 3F 1B E2 AB B3 AA 27
8E C0 E4 7A E9 4B 1D 95 65 CD 9E E8 84 67 23 FD
4D 85 8D 55 A7 74 2C C1 05 37 97 96 7D 1C 33 8A
04 C2 E3 7E CA B9 96 BD 62 E0 68 E5 A1 A1 90 E2
2F 80 BE B0 21 E5 EF CD 76 96 68 BF BC 3C 6C 39
6D 74 A7 4D 3A 7E DB 84 44 2F 06 E8 55 4F 74 53
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
��������������
Emails
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\49aa8d1f521651cb6cc21555dbd38d320fa273dff66b9c743556fde2497deb02.exe"C:\Users\Admin\AppData\Local\Temp\49aa8d1f521651cb6cc21555dbd38d320fa273dff66b9c743556fde2497deb02.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB