Overview

overview

10

Static

static

33a014b355...22.exe

windows7_x64

10

33a014b355...22.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    167s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    11-02-2022 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33a014b3559f2b2bc62d72654c4f03e6c1e93429429c45afdd888df1dbdb5522.exe

  • Size

    54KB

  • MD5

    83950186ba8d2f30aaff4fc161cf6caa

  • SHA1

    f73c5a78ab7fc062d66fba81dc233c6cf89c0124

  • SHA256

    33a014b3559f2b2bc62d72654c4f03e6c1e93429429c45afdd888df1dbdb5522

  • SHA512

    e0619b49895c7df44edd081a694e6cf03a68073622cecdb2218aa1f9ceb7d142150c6c4cdf0bd692968c5b27bfd86f9b676552a50cdecbb3cbecfededc228df7

Score
10/10
globeimposterpersistenceransomware

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 5px; color: #FF0000; background: #303030; } .tabs1 .identi { margin-left: 0px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top:0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>��AD CE 6B EB 63 C3 D2 7D 35 46 45 AD 71 7E 3E 01 17 63 6D 6D 42 5C 83 18 AC 11 60 A6 DD 53 1E 4C AF 28 D3 CC 8C 66 17 9D 8A BD A1 F4 02 30 22 5C B5 E3 C0 BB 5D 61 6F 2C 87 96 8F 45 FA 41 A5 1B 08 5B 92 9B 94 7C 7D DC C8 48 C5 8C 07 4B 7B F3 EA C6 57 F4 85 1B 86 79 13 D0 CD 1E F4 E6 9A BF 0F 0F 74 F5 5E 5F 06 A2 1F 26 16 78 9A BD 91 D5 72 E5 4E 19 8B 62 DC 1A 9D B9 10 9E 7F 9F FB B0 E4 AC DB 6A E4 88 57 2F 1F 76 F3 60 F3 4E BC 53 D5 07 BB 88 EF 13 55 6A 85 9F D4 7D 49 4C B6 70 7E A8 09 76 18 E3 DB F0 B0 8F 5D BD 23 C9 95 64 08 E7 A8 F9 14 D1 E4 C3 F0 76 52 3D 8C A2 A6 9E 7A 36 EE 9E 35 A5 21 39 81 1B 25 38 D0 BB FE 80 D2 C1 F5 4A C1 70 4C B7 EB 91 DF 33 4F BD EB B6 A6 7B A7 C1 7B 7B BD 91 AB F7 63 F7 99 8A 91 1D 14 5A 0A E0 57 E5 20 52 B9 6B CF A4 08 2B 1E 79 </p> </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9763; Your files are encrypted! &#9763;</h1> <hr/> <h3> &#11015 To decrypt, follow the instructions below. &#11015 </h3> <br/> <div class="text"> <!--text data --> To recover data you need decrypt tool.</br> To get the decrypt tool you should:</br> <p>Send 1 crypted test image or text file or document to <span> <font color="FF0000"> [email protected] </font></span></br> (Or alternate mail <font color="FF0000"> [email protected] </font>)<p> In the letter include your personal ID (look at the beginning of this document). Send me this ID in your first email to me</p> We will give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt tool and after payment you will receive a decrypt tool and instructions how to use it We can decrypt few files in quality the evidence that we have the decoder.</br> <hr color=red> <center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center> <center><p style="color:#FF0000"> Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except [email protected], will decrypt your files.</p></center> <hr color=red> <ul> <li>Only [email protected] can decrypt your files</li> <li>Do not trust anyone besides [email protected]</li> <li>Antivirus programs can delete this document and you can not contact us later.</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ��������������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 21 IoCs
  • Drops file in Windows directory 8 IoCs
  • Program crash 2 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33a014b3559f2b2bc62d72654c4f03e6c1e93429429c45afdd888df1dbdb5522.exe
    "C:\Users\Admin\AppData\Local\Temp\33a014b3559f2b2bc62d72654c4f03e6c1e93429429c45afdd888df1dbdb5522.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:2268
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:5064
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3860
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3204 -s 4560
      2⤵
      • Program crash
      PID:5016
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    1⤵
    • Modifies data under HKEY_USERS
    PID:3756
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    1⤵
      PID:1336
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 412 -p 3204 -ip 3204
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:4452
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3796
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3796 -s 3764
        2⤵
        • Program crash
        PID:1964
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 520 -p 3796 -ip 3796
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:396

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3756-142-0x0000022E7CC00000-0x0000022E7CC04000-memory.dmp

      Filesize

      16KB

      Download

    • memory/5064-130-0x000001D7F2BA0000-0x000001D7F2BB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5064-131-0x000001D7F3120000-0x000001D7F3130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5064-132-0x000001D7F5820000-0x000001D7F5824000-memory.dmp

      Filesize

      16KB

      Download