Overview

overview

10

Static

static

f373ca7e89...34.exe

windows7_x64

10

f373ca7e89...34.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-03-2022 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f373ca7e899cce69865c55be5a583aff18459489748ec55649e884d4be5ba434.exe

  • Size

    53KB

  • MD5

    c023089bc9f12e45e974688429188350

  • SHA1

    4178affe4951ae1c9f98adb9891432c5bc8a9d50

  • SHA256

    f373ca7e899cce69865c55be5a583aff18459489748ec55649e884d4be5ba434

  • SHA512

    554ceb05fa40a6f51ea98cb786f83d0cbea55af770e333f78fef597be63d7840626eab8ccd8ca9494d409a242643843d67b87cfabccecfc2ea82195614892bee

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������46 5B 4A 3E 5A 7A C2 B7 29 D8 31 58 8D B4 4C 79 FA DD 4A 1E F0 75 77 97 A1 9A EC 18 FF 30 02 CD 18 7D 21 42 20 12 58 15 8D 36 42 C3 7E 2B 21 DF D8 33 21 1C 5F F7 68 EB ED BE 9B 0A 9B 84 10 AB B7 40 65 D3 D4 02 D6 CF E4 26 F4 70 73 48 F5 37 15 C1 E9 8A 2D 5D 3C 4F 62 88 D8 24 A6 03 CA 6F E6 1D 0B 00 06 21 CF 66 D1 D4 56 86 7F 95 57 ED 5D 06 62 D9 5D EE D8 CA CD FA 03 39 F3 AC 02 72 C9 78 60 21 70 3E 29 1C 66 7B F5 CE 1B F0 D9 B1 FC 14 3E C8 3D F2 6E 37 7B 96 8B A6 30 63 EA 2A E1 CC 66 EB FE 8B 10 7E D7 94 AC BB 95 F1 D7 67 56 67 3A 76 64 C2 7D 09 6A 3D 99 FE BB 6C 88 87 82 93 F9 82 3F 2E 88 67 5B B3 57 C3 53 EE 75 E7 70 AB AE E7 E4 B2 89 25 02 A2 EB 97 D0 68 3B F6 1C EF EE 31 37 1A CE FB 6F 8C FB DF 5D 56 74 29 30 44 D2 00 32 C4 44 4F 29 89 F2 5B D7 BB 34 FF </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your files are encrypted! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 test image or text file <span>[email protected] </span>.</br> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <center>Attention!</center></br> <ul> <li>Only [email protected] can decrypt your files</li> <li>Do not trust [email protected]</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ��������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 32 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f373ca7e899cce69865c55be5a583aff18459489748ec55649e884d4be5ba434.exe
    "C:\Users\Admin\AppData\Local\Temp\f373ca7e899cce69865c55be5a583aff18459489748ec55649e884d4be5ba434.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/952-55-0x0000000076921000-0x0000000076923000-memory.dmp

    Filesize

    8KB

    Download