General

  • Target

    2947bfc106e73121901c99b5498e03aa89670ad36cccfe0e04b898ea296c60fb

  • Size

    51KB

  • Sample

    220211-hwwpeacbb5

  • MD5

    2b7c3032acfb4bbb938084e179fc1f26

  • SHA1

    ef79fbbf085dcd326a120fe126556c5bc61cd0f1

  • SHA256

    2947bfc106e73121901c99b5498e03aa89670ad36cccfe0e04b898ea296c60fb

  • SHA512

    b3e0f7cdebd96d21e3be4f2737fc5cada304b975e8ef3ff8153c2dd95da80c2657b61976100d9debbbfec1f56e9e3aeba7933654f7328e32046d6eaab52773b8

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���19 3D EE 33 52 AB C7 55 02 96 30 CE 45 6D 07 AA EC EB 8E A6 94 B0 51 5A 17 19 08 C3 04 0D B9 0F B2 4F 5E B7 08 61 CE 31 28 8E 9B 99 7C 75 0B 0A AA DB E8 6B 5A 67 57 0C 9E F0 EF 66 C1 90 D9 8A E2 E9 8A C8 79 64 DE 96 4A 63 7B BE C0 42 F8 BA 64 72 9B 02 39 C5 08 B3 F8 62 15 24 DF 2E B1 DE 00 56 BF 49 8A E0 FF 92 EF DE 67 2C DD 88 26 15 00 3E AB E2 FE 4D AC 3E 46 8D 7C 30 FC 06 5D 31 52 DA 98 17 04 F1 C7 DA 09 8A 28 FE 1A 38 67 AA BE B6 5E 3C 34 18 DC 26 04 F4 8E A2 45 C5 EE 71 BA D7 95 78 9A E9 BD 77 37 0F 27 D6 8E A3 ED A8 C6 64 C8 70 FC 1A 24 97 6E 45 A5 2A 82 DD D6 53 4D 34 0D C0 11 CF 4A 99 07 E6 C5 36 67 03 5C B2 43 71 BC 1A 4E E7 57 2B E6 6D A9 18 BD 58 72 4F 4C B9 41 91 B1 37 F1 8D 0C 6E 31 63 60 F8 E2 8E 1B DF 0F 8C C0 75 98 93 0B 2E B0 E1 91 09 B7 59
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���27 10 BC EA 5F D0 C4 9A 88 72 08 65 D7 25 14 1A 5D 6C 9A D6 01 56 09 20 53 BB A0 C5 42 20 10 A6 6D DA 74 8E F6 86 6B 2A D6 9B 78 E4 1A EB 57 1B 51 68 BE B9 B8 50 01 A3 CF A7 3A DD 00 5D 3A A0 05 D9 BF C8 C0 1D F4 9E C6 9D 38 E5 F9 22 C6 CA 08 D5 E0 A7 B8 07 69 58 6A E1 70 9E BC CF B5 47 01 34 53 1B C1 BB F2 B7 0C F7 BE DC 83 49 C2 E4 C2 39 BB B6 D4 5B 81 A5 E0 4F 4B 15 4B 4F 8A 11 DA F0 F8 24 BE 13 37 06 C8 A2 80 44 71 3B 7F 8A 4B A9 22 B5 DD 3B D9 F0 CD 6D 5D 5D C0 F5 D9 AB DF 1C 5E AB 06 DD 87 15 14 B1 62 24 AD 14 20 8A 9E F9 53 26 2D FD 68 16 CD 7A F1 50 E4 03 67 C5 F3 C5 D6 57 61 C4 D0 E2 BE 80 1B 10 E5 EF C6 09 A9 7C 93 9A 71 7A BA DB CA 02 B2 37 35 D9 DE C7 86 2D 50 C3 3C 92 A0 B5 57 97 FF 2B 37 A7 FC 2F 9E 1A 00 77 77 F8 7C AA F5 6C 64 09 AE 43 E1 07
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d.exe

    • Size

      51KB

    • MD5

      82f5dbbe1726bb9005072690b201aaac

    • SHA1

      7aef263a300c999b2a3d7d459308db6fb1906790

    • SHA256

      70fa0e970a0c29da67b5f1468996eecf7116256c2b7212fb6667b0fb92ad839d

    • SHA512

      3cf95d7960fc2385041c1f51efe2180c1576ba191cd2699d36161d6740ffcb316f5db08d014404da426018341c0c60e14e22e1cb9bfed6d540ce657aaba85dcb

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks