Analysis
-
max time kernel
171s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
11-02-2022 07:03
General
-
Target
384d9c5897a5db25b373a0bd0841929a13683c9f374c81b493e7bec0a520aa6f.exe
-
Size
53KB
-
MD5
354f1e5bbdc592c7f96280c9424dd886
-
SHA1
0b0653212a402c5d885ef38b596ac64a617e1161
-
SHA256
384d9c5897a5db25b373a0bd0841929a13683c9f374c81b493e7bec0a520aa6f
-
SHA512
e4f309fc1893a9f03c901161c6faaa189ba63eda287f8b2d5803016569375ba8f8abe7ad22d71464ad4fe471b95ab793687e6989c8fbdddb737222c7499f5940
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������29 80 72 B2 B3 00 B4 01 9D C7 50 3E 8E EA E4 12
4F 09 F0 BA 3E 8C D4 B1 F4 41 DE 0C 5A 7D 2B BF
F0 3D A6 F6 23 77 2A F3 E6 A4 94 D4 AC 6D 67 0D
4D 22 94 22 94 05 01 BF A6 12 4B 8A D9 83 1D 38
AE 68 2A A2 4A 96 F5 FF C7 53 17 7C FF 3B FF 82
39 45 82 42 82 96 2E DB 0D 9D 19 2C 89 6B 6B 8E
64 63 4C DE 79 70 B6 F0 E4 FD 09 96 C6 BC 0C B6
02 AC AD 40 A7 AB BE ED 38 22 7E 1B 80 2E 9F 3C
94 28 11 AD C2 5F 9D 9B B5 C5 4D 8A 5F 8C 1D C9
33 F7 05 EC 8F 6E 6D 10 80 DD 25 8E 70 F1 C5 74
4C 47 6C B3 74 96 03 E4 94 43 6A F5 11 FF 0E 3D
AA EA 1D CA 53 BA 2C E0 C0 5B 0F F5 A5 20 5A 2A
34 8F 31 F7 34 61 F7 26 AC 83 17 CF D7 56 86 64
60 47 A8 3F AA 59 17 E5 78 B3 8C 9D CD F4 6A 39
8C 42 92 13 F3 F1 B5 D9 4F 73 A2 AB 19 98 01 65
2D E0 46 1C 38 D2 FB 22 DB AA 9C 5F A1 2C CE 89
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
</a><br>
4. Start a chat and follow the further instructions. <br><br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected]">[email protected] </a>
<br><a href="[email protected]">[email protected]</a>
<br>
<b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
������������
Emails
href="[email protected]">[email protected]</a>
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 24 IoCs
-
Drops file in Windows directory 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\384d9c5897a5db25b373a0bd0841929a13683c9f374c81b493e7bec0a520aa6f.exe"C:\Users\Admin\AppData\Local\Temp\384d9c5897a5db25b373a0bd0841929a13683c9f374c81b493e7bec0a520aa6f.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS