Analysis
-
max time kernel
151s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-05-2022 16:32
Static task
static1
Behavioral task
behavioral1
Sample
2.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
2.exe
-
Size
53KB
-
MD5
59e3542c4d5293a1a12b2bb6cb357d92
-
SHA1
f31322bc47eec5f5c7da0e46f23fb868c982daa1
-
SHA256
facc02c8d7a9927e3e1276f8122a2656136af1b8817511ed350b678b46407098
-
SHA512
85609e3598058b066af991bd8b665d4c9cda4e8b1de5429c20af354ee32fb29d7c3c1debcfcdd2fea760d1df29c3aaf3bc2d0e072601ed142661b9ef4313a939
Score
10/10
Malware Config
Extracted
Path
C:\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������26 8E D9 AD CF 48 DC 11 09 B8 06 D0 35 27 65 4F
00 4D FC A7 83 D9 85 92 18 53 BB D9 6F F7 03 2E
FD BB EB 26 7E 67 78 2C 6C 02 91 D3 9D A8 A8 D4
C1 62 86 60 48 2F FC AD CC 16 46 C8 4C 82 1D 6C
EC AF 86 E7 03 C3 6A 05 9A CD 3A EF 08 28 D7 39
F9 B2 21 A9 5C 9E BB C1 A8 59 2A C7 A5 C5 A5 F7
9E 87 BF D6 BC A1 7D 12 C6 9D 56 A6 2F CA B1 F1
13 22 44 46 FA EE 15 B1 66 55 6D 9C 1C FD 6C B1
7E 2B 75 FC 82 B5 B6 25 5F EE 1F D4 B0 AD EB 13
B2 AE 9F 2E B9 4C 5D E9 63 F6 F0 B1 A3 FB B8 BF
48 B4 58 AE BD 11 97 4C 81 2E 83 B2 34 F4 91 7B
E6 B5 E5 03 0D 09 A1 BF 3C 8F C6 97 5D 1A D0 51
7A 1C FE 87 DB 11 0D 44 41 A1 C6 DB EA FF F3 B4
8B 30 E8 C4 00 99 E4 CA 7D 4B 9F 0C 91 0D 48 37
42 BA 35 CA 4D BB C8 82 80 90 A1 E6 3A 1A 47 51
1B 4A 34 41 11 EF B0 49 73 79 89 50 C8 6F 5B 36
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\UnprotectSave.raw => C:\Users\Admin\Pictures\UnprotectSave.raw.Nfucklock 2.exe File renamed C:\Users\Admin\Pictures\CompleteCompress.crw => C:\Users\Admin\Pictures\CompleteCompress.crw.Nfucklock 2.exe File renamed C:\Users\Admin\Pictures\FormatPush.png => C:\Users\Admin\Pictures\FormatPush.png.Nfucklock 2.exe File opened for modification C:\Users\Admin\Pictures\MountNew.tiff 2.exe File renamed C:\Users\Admin\Pictures\MountNew.tiff => C:\Users\Admin\Pictures\MountNew.tiff.Nfucklock 2.exe File renamed C:\Users\Admin\Pictures\StopMount.png => C:\Users\Admin\Pictures\StopMount.png.Nfucklock 2.exe File renamed C:\Users\Admin\Pictures\TestSkip.raw => C:\Users\Admin\Pictures\TestSkip.raw.Nfucklock 2.exe File renamed C:\Users\Admin\Pictures\UninstallBlock.tif => C:\Users\Admin\Pictures\UninstallBlock.tif.Nfucklock 2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 2.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\2.exe" 2.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Phone.accft 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLOGO.XML 2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieMergeLetter.dotx 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Users.accdt 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHED98.POC 2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityReport.Dotx 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Comments.accdt 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.XML 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\LATIN1.SHP 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL11.POC 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABELHM.POC 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyLetter.dotx 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeFax.Dotx 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORY.XML 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.XML 2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7jp.kic 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Major Indicies.iqy 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityResume.Dotx 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Students.accdt 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLCPRTID.XML 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.XML 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Marketing Projects.accdt 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VisioCustom.propdesc 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBCALSO.POC 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SegoeChess.ttf 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XOCR3.PSP 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RES98.POC 2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip 2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip 2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSClientManifest.man 2.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\how_to_back_files.html 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Address.accft 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.GIF 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7en.kic 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSN.ICO 2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip 2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.INF 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSWORD.OLB 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESUME.DPV 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Name.accft 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC 2.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\how_to_back_files.html 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Contacts.accdt 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBORDER.DPV 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORM98.POC 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.XML 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.JPG 2.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip 2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveMergeLetter.dotx 2.exe