Analysis

  • max time kernel
    124s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07-02-2024 14:09

General

  • Target

    d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe

  • Size

    53KB

  • MD5

    22ff4b883468f0b2b21b2c50d5ca5bd9

  • SHA1

    e34f09cf8f1416ab4611a6a18ff99281fad93c70

  • SHA256

    d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893

  • SHA512

    9b37dff34d3ceca993bebda8e6d3f4f4a361af65ec6bdde4be54021be2dc48c176aa0b0ef2bae8433ca2957d5e3c28fe448465c3f816a5ee36a5d395bd8f4405

  • SSDEEP

    1536:oWOeytM3alnawrRIwxVSHMweio36l990:oWOey23alnaEIN/W6lA

Malware Config

Extracted

Path

C:\Users\Public\Music\Sample Music\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������A4 6D 2E 84 7F 36 9F 18 4E 3D 90 2D B2 A8 76 C7 D0 1D C6 67 7A 9A 4A 4F 1D 6C B9 7C 60 2D 5F FB D9 28 0C 95 C1 5D DA 9E B2 62 A0 E2 5C F0 DE 21 3E 5C B2 B0 39 03 6E B8 FD B1 E6 45 67 72 5D FF A0 0A 1A 9E 19 A0 FC BE A4 AB 2A A1 A6 A5 3C 00 A3 29 C4 CA 43 35 24 32 62 37 39 04 9E FE DF 6C 47 A9 03 F9 52 2E 99 2B 6F A9 4D A3 48 43 05 B7 99 6B 93 97 4B 3F 32 10 B0 FC 53 B0 94 EC 63 51 28 AC BD E7 D7 EC 6A C8 49 7B EB FA 09 53 80 9F B9 8A 55 4B 36 39 9F 1C 69 37 72 BF 1E 05 4C D8 A4 56 68 AC F3 B3 E4 DF 04 24 4C CD 3B A9 AF 69 59 FD 8A EF C3 7C DB 59 DB C0 45 64 AD 94 3C 76 9F 3D BE 65 71 92 14 85 7A 98 92 82 9D 88 4C DD 4E 93 3B 53 80 D6 8B C2 59 21 E0 BD B7 4A A0 E4 27 51 CC 94 8A 25 5C 01 F9 80 C4 FB 7D BC 07 7D 3A C2 3C 05 C4 CB 9E 64 47 3D C4 8C E6 E3 29 5F </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p> <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px"></span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ������������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Renames multiple (7520) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe
    "C:\Users\Admin\AppData\Local\Temp\d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe > nul
      2⤵
      • Deletes itself
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Music\Sample Music\how_to_back_files.html

    Filesize

    4KB

    MD5

    7404b23a26e69c3aeabc714f8bddd9f9

    SHA1

    2c8af615983f1891c30e2187f40c05f3b2b25a36

    SHA256

    5a1cd366af88081b192bebde515e8bb11588de87f6823152ab07413e9f7dc638

    SHA512

    c62c1a6ae716047a398cb20ad746be87024407a82ee6d1b59ea669510f83cfe540071f31c4661acf58f6d52a4a7640897b5212e30dbcdf60e8fc3cf788600851

  • memory/2480-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2480-1280-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB