General

  • Target

    file.exe

  • Size

    821KB

  • Sample

    221201-vme2hsdd8y

  • MD5

    190517d80c4edcef8a6c2b0a017941b0

  • SHA1

    2e03f910b3f9183657c3ec00735aa5b1f03080bb

  • SHA256

    5ff8f64c4f30268e388f898e0540163158b5941f9c0900d50c4d2fd9d1062e4c

  • SHA512

    676639520df2d44dc9d8fcbd9d49a0453715ea56520d4d606908bc7e9536b57b3ffd77ee8200b7861803ae70d0730a5be9a4193ec70ca9a235c7acb6af33bd65

  • SSDEEP

    12288:K+XtdQ4vM3zrbETClJkFg/IyXCD8H//qNtYU8d+JW7626bNiU1pvZ4xbPfivp+sZ:5vU376CbkFg/IyXtH4H8dd7624i/+

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 ��62 BF 84 0B E2 D9 DB E5 9F 63 64 73 7C 56 CD 1E E9 10 9B A3 25 9D 54 5E 9B 76 87 58 EB 4E 04 76 2D 95 26 E8 83 99 12 22 AC C9 05 B4 93 75 F3 A9 45 DC 96 1B C0 29 71 71 B8 0F 75 90 F5 D5 9D F7 10 0B 35 83 B8 F8 6A A8 EF D3 26 22 41 FA 95 8D 90 01 8F 7E D3 DF CE 96 59 AD C2 73 52 45 6A E4 DB 7C D1 29 1E 12 C9 12 32 EB 06 1D DD 64 A5 4C E5 A8 27 68 0E 0C D3 7C 8B 1C 64 83 1C F9 BD 51 11 C2 33 42 03 6C 8F B3 CD EE A1 A8 DC B3 D6 33 3A DE D7 49 CE 9C 77 1C DB A3 FC 1B 81 98 06 1C 69 B6 9C 2B 90 12 DC 90 5F 69 C4 94 D1 8B B1 6C 34 5B 29 95 86 76 48 25 76 9B 41 71 55 8D DF 8B 6B 64 43 F0 17 75 16 E2 9A AF A0 18 FC EA 4B 76 51 0C 78 A0 7D 33 ED 41 87 1D 65 6F FB 62 6D 84 8B 95 6D 64 00 4E E5 C3 AD 58 19 BA 61 2D 71 FE C9 D0 F2 13 3A 9C 88 2C 0A 65 C6 77 88 3B 4D CE
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR

https://yip.su/2QstD5

Extracted

Path

C:\readme.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 ��24 13 F6 D1 EC 78 01 E3 7A 7B 04 2C BE 7C BF 69 6C EE 0E 53 42 80 BD 74 37 33 CE 4B 4F 3C 24 FD E4 96 83 21 24 48 E8 F5 48 13 C6 04 2D 77 D2 E6 6C EC FE 5F 01 D8 B5 2D 04 3A C3 78 CA 14 05 10 21 88 59 51 27 63 51 47 B1 B3 C6 0E 7B C2 C9 F7 00 EC 57 01 E7 B0 DD 35 1D 43 08 09 A7 25 87 D9 D4 AB A2 D9 B1 DF 66 0E D6 D0 E7 AC DF 8E EF 4D 3C 62 F6 A2 D1 A2 34 FC 78 00 BA D6 05 75 4C 40 85 DF 02 1C CE 22 90 10 12 EA 55 0A B6 59 BD 81 C8 85 38 E1 9A 2F 86 00 45 B9 05 9B CC CA E8 AD 3B 49 37 96 A2 C0 B8 50 DA 49 8E 73 D3 7E 8C 71 C9 AD 9D FD 91 51 7E 3D 35 22 BC 50 74 DD 3D B6 AC F7 A8 99 AF 1F 3B 8D 0D FD F5 AD 6E 46 2F 2F 58 E8 60 8E 38 F0 A5 9B E3 34 17 B8 05 E6 7B D3 B4 CD 4F 75 C6 76 7A F6 AA 0F 21 AD D6 CF 5D 6A 45 20 79 9C F0 C5 F2 3F 25 16 CB 7C 91 61 1E DD
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR

https://yip.su/2QstD5

Targets

    • Target

      file.exe

    • Size

      821KB

    • MD5

      190517d80c4edcef8a6c2b0a017941b0

    • SHA1

      2e03f910b3f9183657c3ec00735aa5b1f03080bb

    • SHA256

      5ff8f64c4f30268e388f898e0540163158b5941f9c0900d50c4d2fd9d1062e4c

    • SHA512

      676639520df2d44dc9d8fcbd9d49a0453715ea56520d4d606908bc7e9536b57b3ffd77ee8200b7861803ae70d0730a5be9a4193ec70ca9a235c7acb6af33bd65

    • SSDEEP

      12288:K+XtdQ4vM3zrbETClJkFg/IyXCD8H//qNtYU8d+JW7626bNiU1pvZ4xbPfivp+sZ:5vU376CbkFg/IyXtH4H8dd7624i/+

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks