Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
07-02-2024 14:09
General
-
Target
d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe
-
Size
53KB
-
MD5
22ff4b883468f0b2b21b2c50d5ca5bd9
-
SHA1
e34f09cf8f1416ab4611a6a18ff99281fad93c70
-
SHA256
d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893
-
SHA512
9b37dff34d3ceca993bebda8e6d3f4f4a361af65ec6bdde4be54021be2dc48c176aa0b0ef2bae8433ca2957d5e3c28fe448465c3f816a5ee36a5d395bd8f4405
-
SSDEEP
1536:oWOeytM3alnawrRIwxVSHMweio36l990:oWOey23alnaEIN/W6lA
Score
10/10
Malware Config
Extracted
Path
C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html
Ransom Note
<html>
<style type="text/css">
body {
background-color: #f5f5f5;
}
h1, h3{
text-align: center;
text-transform: uppercase;
font-weight: normal;
}
/*---*/
.tabs1{
display: block;
margin: auto;
}
.tabs1 .head{
text-align: center;
float: top;
padding: 0px;
text-transform: uppercase;
font-weight: normal;
display: block;
background: #81bef7;
color: #DF0101;
font-size: 30px;
}
.tabs1 .identi {
font-size: 10px;
text-align: center;
float: top;
padding: 15px;
display: block;
background: #81bef7;
color: #DFDFDF;
word-break: break-all;
}
.tabs .content {
background: #f5f5f5;
/*text-align: center;*/
color: #000000;
padding: 25px 15px;
font-size: 15px;
font-weight: 400;
line-height: 20px; }
.tabs .content a {
color: #df0130;
font-size: 23px;
font-style: italic;
text-decoration: none;
line-height: 35px; }
.tabs .content .text{
padding: 25px;
line-height: 1.2;
}
</style>
<body>
<div class="tabs1">
<div class="head" ><b>Your personal ID:</b></div>
<div class="identi">
<span style="width:1000px; color: #ffffff; font-size: 10px;">��������������95 30 02 39 C7 B6 D1 21 26 85 DA DB E0 97 9A 6B
00 30 80 89 72 CA DC 8A 70 D6 41 BB 78 0E FA E0
CB 11 7A 02 61 A1 1C E7 23 9E 4B 5D 21 4E 59 C5
87 3C 2C E2 51 E2 98 93 C0 F5 AC B7 CD 9A F5 45
69 60 E9 FC D2 2F 53 93 04 1A 0A 51 AC E7 EB 12
D9 32 D1 BE C1 F1 12 91 35 94 42 EC 4A 01 AC ED
F0 95 F8 D9 8A E4 D0 EF 6B 2F 33 83 1E 72 87 72
19 C5 D0 BC B9 B2 9E B7 56 00 02 B4 93 6F E6 C8
88 E0 73 A2 1E F3 4E E2 4F 8F 75 C4 0C E0 8F 6B
D8 AD 22 9A 93 D3 3C 19 D9 D4 12 5F CB E1 D5 BF
BA F6 25 23 08 5D A1 80 81 12 79 DE D9 82 35 D7
C1 54 75 5D 51 34 E7 FF 04 F5 16 97 BA 06 67 9C
F7 E9 07 A5 C3 A9 E0 0D BA 2E 90 A0 FB 7A FF AE
5D 3F 8B 73 10 47 0D 7B 9E FD A0 D6 3C 92 92 5E
84 4A 5D 29 8C F1 55 6F BD 64 A6 60 9C A7 AA B0
AB C0 F6 DF 8F 3F FE 0C C9 31 87 BA 17 22 D6 D4
</span> <br>
<!-- !!! dont changing this !!! -->
</div>
</div>
<!-- -->
<div class="tabs">
<!--tab-->
<div class="tab">
<div id="tab-content1" class="content">
<div class="text">
<!--text data -->
<b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br>
<b>All your important files have been encrypted!</b><br><br>
<hr>
Your files are safe! Only modified. (RSA+AES)<br><br>
ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br>
WILL PERMANENTLY CORRUPT IT.<br>
DO NOT MODIFY ENCRYPTED FILES.<br>
DO NOT RENAME ENCRYPTED FILES.<br><br>
No software available on internet can help you. We are the only ones able to<br>
solve your problem.<br><br>
We gathered highly confidential/personal data. These data are currently stored on<br>
a private server. This server will be immediately destroyed after your payment.<br>
If you decide to not pay, we will release your data to public or re-seller.<br>
So you can expect your data to be publicly available in the near future..<br><br>
We only seek money and our goal is not to damage your reputation or prevent<br>
your business from running.<br><br>
You will can send us 2-3 non-important files and we will decrypt it for free<br>
to prove we are able to give your files back.<br><br>
<!--text data -->
<hr>
<b>Contact us for price and get decryption software.</b><br><br>
<hr>
<b>email:</b><br>
<a href="[email protected] ">[email protected] </a> <br>
<a href="[email protected] ">[email protected] </a> <br>
<p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br>
<b>
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br>
<p> <a href<a href<b>
</div>
</div>
</div>
<!--tab-->
<b>
<b> <b> <span style="font-size: 22px"></span>
</b><br><br> </b><br>
<!--text data -->
</div>
</div>
<!--tab-->
</div>
</div>
</body>
</html>
������������
Emails
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Renames multiple (6120) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe"C:\Users\Admin\AppData\Local\Temp\d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe > nul2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD50e3ffbe29c5340211100351a96f8704a
SHA11b431ffcc1cb7e932d64356924b0d8c34a443229
SHA256c59a181a415dd9d878bc0a0a20a2d8b1b1201b9408bf9bf733c5431c27142751
SHA5125677fd1ce07e0907a83d037b8a139e3bae42b3dc0faed1e7b7a711fa4d9f863f1d95bbbf3c150aa8deb07c2da0f95da2aebecd28af89c6ca5e68ce1197cdef17
-
Filesize
56KB
-
Filesize
56KB