Analysis
-
max time kernel
172s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 07:01
General
-
Target
40390854dd6d8c35e2946f3a43a6eca8460616fda013f4478b85c00a2e883de6.exe
-
Size
55KB
-
MD5
76dd963e228564a6f9ed1d4a0c881e2c
-
SHA1
a642841bad3287dd546b723beb9192d478e4b0ca
-
SHA256
40390854dd6d8c35e2946f3a43a6eca8460616fda013f4478b85c00a2e883de6
-
SHA512
3a2250cce41d7ce4be751f8b2b913ac64354bfec2dfc20d4a441ba18d37085059efdf04674edf90339136bcdb5944b4dd6e1adc686dcbe5a75950a1c9a78fa43
Score
10/10
Malware Config
Extracted
Path
C:\HOW_TO_RESTORE_FILES.html
Ransom Note
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
<style>
html, body {height:100%;
color: #fff;
font-family: monospace;
background-color: #000;}
a,h1,h2,h3,h4,h5,h6 {color: #fff;text-decoration: none;}
a:hover {color: #aaa;}
ul {list-style: square outside;padding: 15px;}
.wrap {
position:relative;
width: 850px;
margin: 0px auto ;
height:auto !important;
height:100%;
min-height:100%;}
.contentdiv {padding:10px;}
.heading {
text-align: center;
font-size: 25px;
letter-spacing: 0px;
font-weight: 700;
text-transform: uppercase;}
.mould{
width: 400px;
display: block;
margin: auto;
text-align: center;
position: relative;}
.mould .main{
padding: 10px;
margin: 5px;
border-radius: 6px;}
.mould .main-part {
padding: 10px;
font-size: 12px;
font-weight: 700;
background-color: #252525;
background:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAAECAYAAACp8Z5+AAAAJ0lEQVQYV2NkYGD4z8vLywADjLy8vP/hPAYGBrjA58+fGUAqMVQAAPnKB51wUh2MAAAAAElFTkSuQmCC) repeat;}
.mould .id-text{color: #B22222; text-align: left;}
.mould .ID{overflow: auto;}
.content {
width: 800px;
display: block;
margin: auto;
position: relative;}
.text-data{
width: 800px;
padding: 10px;
font-size: 14px;}
.attention {
margin: 15px auto;
text-align: center;
font-size: 20px;
color: #fff;
font-weight: 700;
text-transform: uppercase;}
.emails {
background: #191919;
color: #34dddd;
padding: 2px 5px;
border-radius: 4px;}
.tech {border-left: 5px solid #3CB371;}
.our {
height: auto;
padding-bottom: 0;
padding-left: 5px;}
.our .support {
font-weight: bold;
text-indent: 5px;
height: 10px;
line-height: 20px;
padding-top: 5px;}
.our ul {margin-top: 0;}
.our ul li {padding: 1px;}
</style>
</head>
<body>
<!-- Head -->
<div class="wrap">
<div class="contentdiv">
<div class="heading">☠ Your files are encrypted ☠</div><br />
<div class="mould">
<div class="main">
<div class="main-part">
<div class="id-text">// Your personal ID</div>
<div class="ID">
<pre>�����A2 0F FC D9 AE D9 50 46 C2 2F C8 ED A1 A3 D5 95
D6 15 C7 0A DE 6F 73 FF BB C9 75 D4 09 4D E7 73
5C 9D 35 2F 07 53 F9 B0 DE E7 35 1C B7 FC F2 B1
9B 22 47 9C 90 A9 88 74 14 CE 4D 7C A4 0E F9 11
99 EB EA D9 99 28 EA A1 AC D3 DC E3 3C 6A 08 DF
3D C0 E0 9E 40 09 EE 8B 94 DD 43 1D 27 AC CD 8D
48 3A 20 A3 4C 27 78 54 5F 62 D9 35 56 05 8D 6C
72 2B 40 C8 77 04 A1 8C 32 B4 FC B8 38 0A C9 F2
6C C1 32 AC 51 95 EB 1A 40 9D 61 92 30 7E 25 FD
4E FA 23 00 A2 EA 28 E5 8F 61 98 8B B8 CC D9 E9
3A B2 E7 0C AD 34 CD 10 6E 1B C1 C7 22 8D 73 43
4D 57 30 9C 71 85 06 22 F9 CA F7 0F 35 34 5D CE
CF 68 88 69 59 A3 9A 79 59 D7 04 CD FB 1D 14 EE
9F 59 9B B8 B2 F7 00 C9 31 53 2F 80 9B 97 85 FE
45 C4 E1 C4 02 0C 0D 75 D8 72 FB 5E 4B 7F 62 E7
3C A2 18 11 F5 FB 6A 79 84 CB CA 2D 29 B2 60 8A
</pre>
</div>
</div>
</div>
</div>
<!-- end -->
<!-- index -->
<div class="content">
<!--tab-->
<hr align="center" width="800" color="White" />
<h3>ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED</h3>
<br />
<!-- end -->
<!--text data -->
<div class="text-data">
To recover data you need decryptor.<br />
To get the decryptor you should:<br />
<p>Send 3 test file not more than 10Mb: <span class="emails">[email protected]</span> or <span class="emails">[email protected]</span><br />
In the letter include <span style="color:#B22222">your personal ID</span><br />
You have to pay for decryption in Bitcoins.<br />
The price depends on how fast you write to us.<br />
After payment we will send you the decryption tool that will decrypt all your files.<br />
<div class="our tech">
<div class="support"> <span style="color:#006400">Our tech support is available 24\7</span></div>
<ul>
<li>Do not delete: Your personal ID</li>
<li>Write on e-mail, we will help you!
</ul>
</div>
<div class="attention">⚠ Attention ⚠</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price<br /> [they add their fee to our] or you can become a victim of a scam.</li>
<li>Do not attempt to remove the program or run the anti-virus tools</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders are not compatible with other users of your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
</div>
</body>
</html>���
Emails
class="emails">[email protected]</span>
class="emails">[email protected]</span><br
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\40390854dd6d8c35e2946f3a43a6eca8460616fda013f4478b85c00a2e883de6.exe"C:\Users\Admin\AppData\Local\Temp\40390854dd6d8c35e2946f3a43a6eca8460616fda013f4478b85c00a2e883de6.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB