Analysis
-
max time kernel
165s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
11-02-2022 07:04
General
-
Target
307e97cbface56e89b0e2c2f4d1c034ab20eaad285aef837b70bba4de51c48d2.exe
-
Size
55KB
-
MD5
4ddafae6c067ce6bf17b9fd528525bc0
-
SHA1
835f322ca756e4e6929430edbf7eb51220facdf3
-
SHA256
307e97cbface56e89b0e2c2f4d1c034ab20eaad285aef837b70bba4de51c48d2
-
SHA512
c6f5be843421c592d5c99e3a4d86fff0b41d662fbf330fd3f714fc7d372304ea6a6bf90aa2eef8ef8fddd59f3f1793d3940e66235b5b90f990a9447b5b35921f
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 5px;
color: #FF0000;
background: #303030;
}
.tabs1 .identi {
margin-left: 0px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top:0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>��6B 7F 2F E3 D7 34 E2 2D 4B BA FF E2 2C CC 34 CA
0D CF B7 A6 2D B8 C2 E7 44 9E 81 6C EA F5 D0 46
A3 1D 5B 7E 9D 86 C2 3D 50 00 42 1E B4 6D 07 52
01 D5 F3 96 9A 81 D0 06 AD B3 B5 82 AA 69 69 1F
06 F5 05 1B C7 3B 7D 3A B4 DE CB 8D CD 37 A2 0B
FC B1 F7 11 D5 29 D8 B8 A8 C5 D6 13 2E 4F 07 6A
A4 5F 7C 2A 74 FB D2 C0 25 D9 B7 9C 50 D5 44 27
E6 F7 CF A7 80 8F B5 AF 00 23 B2 22 28 B4 E5 25
A6 10 E7 65 93 83 87 59 25 AA 5C 45 7D 3C A9 5B
5C DF DE FB 7D 6F 75 12 D3 07 FF BF CA 48 0D D3
E6 83 B0 52 C3 15 B9 24 BB 2F C3 9B 4A 14 D2 09
C8 96 F9 56 BB 9A 3A 63 F0 11 34 0C D2 80 BB CA
E4 9B 64 E0 A5 1E C0 E2 73 72 35 51 C6 F7 79 F7
42 09 4C DB 4C 82 E2 D0 FB E3 7B 35 AF A2 08 D5
75 58 EE 72 24 19 4D 80 8B 62 59 0C C2 81 20 CB
D0 26 CB F6 F5 C2 C2 2C 8A 92 6F 78 E8 18 21 F4
</p>
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☣ Your files are encrypted! ☣</h1>
<hr/>
<h3> ⬇ To decrypt, follow the instructions below. ⬇ </h3>
<br/>
<div class="text">
<!--text data -->
To recover data you need decryptor.</br>
To get the decryptor you should:</br>
<p>Send 1 crypted test image or text file or document to <span> <font color="FF0000"> [email protected] </font></span></br>
(Or alternate mail <font color="FF0000"> [email protected] </font>)<p>
In the letter include your personal ID (look at the beginning of this document).</p>
We will give you the decrypted file and assign the price for decryption all files</p>
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions
We can decrypt one file in quality the evidence that we have the decoder.</br>
<hr color=red>
<center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center>
<center><p style="color:#FF0000"> Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services.
No one, except [email protected], will decrypt your files.</p></center>
<hr color=red>
<ul>
<li>Only [email protected] can decrypt your files</li>
<li>Do not trust anyone besides [email protected]</li>
<li>Antivirus programs can delete this document and you can not contact us later.</li>
<li>Attempts to self-decrypting files will result in the loss of your data</li>
<li>Decoders other users are not compatible with your data, because each user's unique encryption key</li>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������
Emails
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 9 IoCs
-
Drops file in Windows directory 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\307e97cbface56e89b0e2c2f4d1c034ab20eaad285aef837b70bba4de51c48d2.exe"C:\Users\Admin\AppData\Local\Temp\307e97cbface56e89b0e2c2f4d1c034ab20eaad285aef837b70bba4de51c48d2.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB