Analysis
-
max time kernel
162s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-02-2022 07:11
General
-
Target
14dcf6c34fd449588658cd22fd5e902192e56c4c1f3d6e8dea7dfdff93bf881c.exe
-
Size
56KB
-
MD5
6e11699bc2a423b584b4ec90031336dc
-
SHA1
20a1e0ee0cc37b8d62e5c086ac1840d428c32049
-
SHA256
14dcf6c34fd449588658cd22fd5e902192e56c4c1f3d6e8dea7dfdff93bf881c
-
SHA512
af85335968fb72ef69d2dd92cda18edd84e29d226be9993d034cb44fa5ef2c941fc37dad4a001d5e23736d006f337a0be289f8d38f6f539ab53442a629cb5abf
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #404040;
}
{
margin: 0;
padding: 0;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs1 .head{
text-align: center;
float: top;
text-transform: uppercase;
font-weight: normal;
display: block;
padding: 15px;
color: #000000;
background: #4A83FD;
}
.tabs1 .identi {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
text-align: center;
float: top;
display: block;
padding: 15px;
background: #303030;
color: #DFDFDF;
}
/*---*/
.tabs{
width: 800px;
display: block;
margin: auto;
position: relative;
}
.tabs .tab{
float: left;
display: block;
}
.tabs .tab>input[type="radio"] {
position: absolute;
top: -9999px;
left: -9999px;
}
.tabs .tab>label {
display: block;
padding: 6px 21px;
font-size: 18x;
text-transform: uppercase;
cursor: pointer;
position: relative;
color: #FFF;
background: #4A83FD;
}
.tabs .content {
z-index: 0;/* or display: none; */
overflow: hidden;
width: 800px;
/*padding: 25px;*/
position: absolute;
top: 32px;
left: 0;
background: #303030;
color: #DFDFDF;
opacity:0;
transition: opacity 400ms ease-out;
}
.tabs .content .text{
width: 700px;
padding: 25px;
}
.tabs>.tab>[id^="tab"]:checked + label {
top: 0;
background: #303030;
color: #F5F5F5;
}
.tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] {
z-index: 1;/* or display: block; */
opacity: 1;
transition: opacity 400ms ease-out;
}
</style>
<head>
<meta charset="utf-8">
<title>HOW TO DECRYPT YOUR FILES</title>
</head>
<body>
<div class="tabs1">
<div class="head" ><h3>Your personal ID</h3></div>
<div class="identi">
<pre>���������������37 51 D2 B8 5B 63 14 5F 8F D4 35 93 6C 5E 01 BF
50 61 B0 46 20 93 F8 AF E8 95 1C 77 A6 DF 7F 19
FE 95 F7 F7 0A 59 D9 53 CE 96 FF AE 9B BD 1C 82
CE 38 CC 3A DF 6D F6 AE 66 26 5A ED AE 8A 55 BC
DA 86 6D 98 9C 0B D0 39 BE FC EC EF 8D B5 73 CD
DA B2 70 65 65 85 84 B0 CE 72 4A F4 62 BD 58 D9
1B DD 65 96 2F 4E F3 0B 01 01 40 D7 6B F2 C5 46
92 36 5A 02 9B 2C C8 11 B1 34 4C 09 93 1A 10 D7
0F 7A 9B B7 67 19 6C 4D F5 EA 85 34 4D 2D E5 A0
16 2A 22 D9 C0 30 17 14 D6 E1 3B EC 9F E4 70 69
8E CA 90 1F A7 70 07 2C 9C CF 8F 0B 8A A9 5E 39
F1 BD 32 63 0F E2 88 54 2D 8E 88 C0 EB EF 69 ED
17 92 76 B0 3C 4F FB E4 37 DE 6B 4C 16 A2 70 9B
C1 A3 A6 67 A0 6A 85 46 30 D7 4B 30 45 46 5E 13
AA 04 A3 B4 CD 93 64 7C 17 D2 C7 0B FA 7A 8F CB
F4 97 B9 19 76 45 4C 2F DB E2 11 E5 E7 C1 07 57
</pre><!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<input type="radio" name="tabs" checked="checked" id="tab1" />
<label for="tab1">English</label>
<div id="tab-content1" class="content">
<h1>☠ Your corporate network locked! ☠</h1>
<hr/>
<h3>All your important data has been encrypted.</h3>
<br/>
<div class="text">
<!--text data -->
<h3>To restore files you will need a decryptor!</h3>
<center>To get the decryptor you should:</center></br>
<center>Pay for decrypt your network - 1 BTC </center></br>
<div align="left"> <strong>Buy BTC on one of these sites</strong> </div>
<div align="left">
<ol>
<li><strong>https://localbitcoins.com</strong></li>
<li><strong>https://www.coinbase.com</strong></li>
<li><strong>https://xchange.cc</strong></li>
</ol>
</div>
<div align="left">
<h1><br>
</h1>
</div>
<div align="left">
✔ Bitcoin adress for pay: 1F9WMAsdYPDaQuxx2F3t6vcJQw9KswFjsv
<center> </center></br>
✔ Send 1 BTC for decrypt
<center> </center></br>
✔ Send screenshot of payment to [email protected] or [email protected] - In letter
include your personal ID (look at beginning of this document)
<center> </center></br>
<center>-----------------------------------------------------------------------------
</center></br>
<center> Attention!</center></br>
<ul>
<li> 1 BTC this is price for all PC/Servers in your corporate NetWork !
<li> Only our team can decrypt your files.</li>
<li> No Payment = No decryption!</li>
<li> You really get decryptor after payment. As a guarantee you can send 1 test
image or text file to our email (In letter include your personal ID)</li>
<li> Do not attempt to remove program or run any anti-virus tools! This doesn't
help ☺ </li>
<li> Decoders of other users are not compatible with your data, because each user's
have unique encryption key!!!</li>
<li> Attempts of self-decrypting files will result in loss of your data </li>
<center> </center></br>
<center> </center></br>
<center> </center></br>
<center> © 2018 Globeimposter 2.0 | All Rights Reserved.</center></br>
</ul>
<!--text data -->
</div>
</div>
</div>
<!--tab-->
</ul>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
�������������
Wallets
1F9WMAsdYPDaQuxx2F3t6vcJQw9KswFjsv
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\14dcf6c34fd449588658cd22fd5e902192e56c4c1f3d6e8dea7dfdff93bf881c.exe"C:\Users\Admin\AppData\Local\Temp\14dcf6c34fd449588658cd22fd5e902192e56c4c1f3d6e8dea7dfdff93bf881c.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB