Analysis

  • max time kernel
    111s
  • max time network
    27s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2024 13:52

General

  • Target

    INs.exe

  • Size

    53KB

  • MD5

    53d266f79e065761f85f145fe4b38e58

  • SHA1

    8455381ce40ed75e791d4d904fd31b3dda0a227f

  • SHA256

    3ea1f5c46ec453361e4596fdc9a1084a0f4922c970e2075bac3f54478f5b27d5

  • SHA512

    5e7dc399de29e53be1686d86a2627fc8b066412a92d1cabbe824eee5f41d5ffc964c5ab453a69e3fbe8fdd4e55a683f6282c840889351de070a5621087cae224

  • SSDEEP

    768:3aivuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5nj:3neytM3alnawrRIwxVSHMweio3

Malware Config

Extracted

Path

C:\Users\Public\Music\Sample Music\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������4E 85 65 1C 01 C3 DB 87 80 59 46 53 2A F8 78 12 BC 3A EE A0 6D B0 05 9D D6 17 CD A2 18 7A 64 A8 34 23 A5 A8 66 40 F9 23 96 E1 E2 90 B8 C3 50 32 7E A5 D5 D8 A9 8B 79 60 EE 0D 96 4A B7 95 E6 E3 D2 8F F8 7E A5 0F D8 51 4B F5 68 63 24 27 8C 49 CA 6A EE 12 96 56 54 6E 60 61 D0 19 04 31 E6 DF 89 DE D0 CF 1E E0 35 29 96 F9 E1 E7 84 4C DC 6C 80 F4 E3 2A F2 84 C2 CC 1D F3 7C 80 2E DF 6E 1E 97 E3 A7 82 45 3A A7 24 53 99 52 10 27 32 E3 4C 23 54 66 DF A6 17 20 7D EE 5E 5E 4B 91 A3 3A D7 CF 7E A4 70 06 EB 9F 88 B1 14 23 22 03 77 51 1E E4 3C 6E A6 44 82 43 17 AD AD E3 8F 62 CC 7C 75 E8 07 F3 0B 41 98 C3 F9 81 FA 63 FD 60 9C 51 12 78 91 DD 99 99 04 D4 E2 4F 4F 38 2C DF D7 1E 21 4B D5 AD 6F C6 2E 0B 9F 76 5E 00 5F FB E0 FF 0C 5E D8 AD 1C 50 68 70 B1 29 27 53 44 F7 8C 11 F3 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>��������������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Renames multiple (68) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Adds Run key to start application 2 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INs.exe
    "C:\Users\Admin\AppData\Local\Temp\INs.exe"
    1⤵
    • Adds Run key to start application
    PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Music\Sample Music\how_to_back_files.html

    Filesize

    4KB

    MD5

    c120969fb90aff177be5fec5663ad8a3

    SHA1

    ed98951da70528825af2fec6b896b046744a6a0a

    SHA256

    9b3278a68fb2d16fade571a2608ada6a25e55ad76e32401fb150ac87d5b092b2

    SHA512

    a72cc1aed69eca0531f09a3d2ea8451a6341254536c493472e0e57928a47c150983d2fb9597bd9225ddec250f3e35cf43ab6d7b2470846d05dc68f7717961e41

  • memory/2284-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2284-51-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB