General

  • Target

    29164d1a928f1ec152d3a3a28111d5baf2178f06b10c99cedaa8049cd3a3247b

  • Size

    53KB

  • Sample

    220211-hwytrscbb6

  • MD5

    056a267f8eff3c33d5c47eb06ed06a2e

  • SHA1

    7d9288457ad639b91508be5e262deb9ace24fca2

  • SHA256

    29164d1a928f1ec152d3a3a28111d5baf2178f06b10c99cedaa8049cd3a3247b

  • SHA512

    d213eb80c372b61796994575eec95b4113a8da21920bee25bfe8b14fc34ca93948a0913f4305bdd254c046f1ea44e38f3638223be5da6ae7860dd6aad79d98ad

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������43 56 FC E0 48 74 05 36 12 F8 E8 6D 17 39 44 56 37 09 43 61 18 E2 C3 A0 D0 93 86 6E 2B 89 9D 73 45 98 A6 E4 AC A5 6F F5 51 D5 B3 88 BD 23 BF 3A A9 69 CF 3D 0E 2B 86 E2 BA 3A B1 7C 43 ED C5 BD 4A 5E 6F A7 D6 C7 CE 0C B0 14 00 9B 6E 5A 9A 39 CF CE AC CF C9 D2 3D F3 D3 AD 80 43 8A 5C 8B C5 2D A5 91 2A F7 58 A5 A3 56 08 7C EE 16 E3 8E 57 B3 87 DF DF 45 67 70 5F 08 ED 7D 34 9A 33 9B 5A AF 09 DD D3 7F DB E0 46 73 A9 ED 1B 3D 8E DA 61 13 BA 38 26 10 6A 95 0D 39 79 46 FD AB 50 35 6D EA AB AE AA 04 F3 4D D2 48 53 BB 3A 7E F2 8B EE A8 9D D6 D9 81 7B 2D 90 6F 42 08 0B 81 51 46 1B 04 0F 31 13 3F F3 31 1D F7 78 3C C6 5F 05 BE 9B 70 D7 00 DA 3F 7B 3B B7 83 9D 3E 63 5A 6B C0 ED F5 7F 0A CA 11 FC D6 D7 96 9D CB 21 D0 C5 58 A0 AD 59 4C E1 43 B2 E7 BA 0F 05 10 46 7B 96 C5 87 </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your files are encrypted! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 test image or text file <span> [email protected]</span>.</br> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <center>Attention!</center></br> <ul> <li>Only [email protected] can decrypt your files</li> <li> [email protected]</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������
Emails

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������88 33 67 E7 0A 01 38 11 16 FA 2A 0E 93 5C 06 56 A1 B7 D2 84 4A 1A 50 F4 7A FD D3 79 A4 D8 AF F1 6C 6A 03 A7 68 DC 92 D0 AE D5 EF EF 43 80 68 D2 31 2C 13 99 B9 BA 2B 38 4F 31 A7 D0 8C 4B C6 DE 6B DB C7 C5 80 59 9E 01 84 B2 D9 E9 6C 7A D5 FF FB 47 E4 84 C9 76 36 5A 04 5C 65 BE 0E 86 31 58 C6 9A E8 13 7C A6 F0 22 10 39 BE 43 7E 24 BF D8 E2 3E CE AC 77 8C 5D 8B 51 36 1A BD 8A 3E 4E BC FF 07 A4 8D 90 C9 CE 5B CC 4E CA 56 9D E9 96 8F 6A C0 8C 23 3F AE 3A EF B1 CB 82 6D 0A 71 D8 77 A2 DA BB 1D 83 6A 10 D1 B8 72 D9 14 64 6D ED 8A 23 EA 42 F2 55 84 AB 60 72 69 4C 95 36 35 05 F2 87 F1 57 C6 80 90 06 47 D3 F1 FC E5 4C CC 1D E3 3A 15 BD 34 F8 1A 55 CC 51 68 6F DB 6B F6 EB 30 73 0A 3A E2 A2 4B F6 58 A4 32 D9 14 9C FF EF 72 D6 45 F8 CB 11 CF 4B 51 72 CD 71 93 83 B1 09 37 </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your files are encrypted! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 test image or text file <span> [email protected]</span>.</br> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <center>Attention!</center></br> <ul> <li>Only [email protected] can decrypt your files</li> <li> [email protected]</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������
Emails

Targets

    • Target

      29164d1a928f1ec152d3a3a28111d5baf2178f06b10c99cedaa8049cd3a3247b

    • Size

      53KB

    • MD5

      056a267f8eff3c33d5c47eb06ed06a2e

    • SHA1

      7d9288457ad639b91508be5e262deb9ace24fca2

    • SHA256

      29164d1a928f1ec152d3a3a28111d5baf2178f06b10c99cedaa8049cd3a3247b

    • SHA512

      d213eb80c372b61796994575eec95b4113a8da21920bee25bfe8b14fc34ca93948a0913f4305bdd254c046f1ea44e38f3638223be5da6ae7860dd6aad79d98ad

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks