Analysis
-
max time kernel
139s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
11-10-2023 20:38
General
-
Target
fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
-
Size
53KB
-
MD5
5efa19dc204e46e8d8c57482f80e7a40
-
SHA1
5c83b3ddc8417fe64e0bbd3495445ddcee52e35e
-
SHA256
fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f
-
SHA512
0cdf4a1263b9a341240acea245155f0afbaac864eccd1d9623a9a152a9287e8a65cd62f12804d5a1293c9d960a4958c2aa05a720f35d42699fec5d4ac0accfc1
-
SSDEEP
768:FKcvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5YW:F9eytM3alnawrRIwxVSHMweio3+
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Music\Sample Music\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">����������67 A9 79 6C 23 B6 52 3F CC 44 41 6E 40 72 53 F2
06 06 BC 27 A8 90 A3 DB DC D7 22 74 ED F5 D5 56
AC 8F 6D DF 23 68 43 13 C2 40 3D 94 50 F7 13 3F
DF 2F 5C CA 2E BF 0B DA 32 B0 D4 33 3F C8 FB 3D
4A 93 59 F8 95 98 14 99 58 1E 59 38 58 65 4A 61
9E F8 07 F0 9C 72 78 FB 0B C7 00 D6 A4 5A 8F BF
44 C1 8D 6A E3 B5 C6 9E 2A DD 93 80 98 02 43 B0
62 2F 99 31 24 E2 A3 53 1E 80 D0 92 F7 9E B7 A3
BC FA 68 0B 41 DE B8 DC 9D 1E 63 17 1B 7C 1F 20
19 89 79 EE E9 2E C0 F3 9F F2 CA C4 E3 7A A0 EF
D0 14 46 DD 63 EB 6D 78 A0 A7 42 AC E0 61 2E 98
75 DA 12 FF 1D C8 E2 D7 C7 99 6F 13 C8 72 77 9A
90 56 76 D5 A1 67 FA 2F D4 12 AA 10 20 37 9F 66
76 9B C3 09 27 A9 7A 50 94 44 11 62 E6 6B 5C A8
16 D6 77 20 79 09 9E 07 01 F1 1D 52 1B CA F3 12
12 0A 5F 70 30 FE 25 B6 82 A2 54 5F A4 2B AC 74
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br>
* Note that this server is available via Tor browser only<br><br>
Follow the instructions to open the link:<br>
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br>
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br>
3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br>
</a>
4. Start a chat and follow the further instructions. <br>
<hr>
<b>If you can not use the above link, use the email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
</div>
</div>
</div>
<!--tab-->
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
Emails
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Renames multiple (1314) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe"C:\Users\Admin\AppData\Local\Temp\fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5135ca9a284acefdddccebf5f401ab873
SHA147bf5912b0d35aec280e6e0fff119d1d89689baa
SHA256884b6c990e3949060287242c3088fe01d8cdb1b3f5e70d2f4f2f84a9cffc5b24
SHA5124c04ad80029d595504b63f154398d4676f69af2da973c734a0ecdb26b955551a5929ab9ec8f43afd0593e7c0d2cb677707934cd1e305b48418c0459a05693118
-
Filesize
56KB
-
Filesize
56KB