General

  • Target

    22ff4b883468f0b2b21b2c50d5ca5bd9.bin

  • Size

    28KB

  • Sample

    240209-bwcg7sfd97

  • MD5

    90255ae1646ecba250ab9ca42a4edc48

  • SHA1

    bddeef1b3cfbe118e6add46891a8cc7ca751f31f

  • SHA256

    b07f583e8617d0e4faa3982b5613cda10db48a28c4d9909bae93ccafec153e74

  • SHA512

    0a810e6ed2b9b6af8cd78142591f58f7b0d1dae13b33f50bd3706f660aa150d28c1d22fe1e43e5e248a1366285fe853f6c787e963aea3e0cc2b392f5609e5a3c

  • SSDEEP

    768:bjTayKkchH+P4260n3+5j7LitHzGS/YtMzM8v:P2jheDnuJitHbU8v

Malware Config

Extracted

Path

C:\Users\Public\Music\Sample Music\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������16 79 65 F3 F8 CF 5D A9 7E 23 B3 79 77 C0 35 F2 28 AB 25 9B 09 AD 1E 43 98 B6 8D 0F 99 15 65 44 EA 40 57 29 BB 73 26 F5 BC 9D 6F FA 8D CD 99 36 87 0E 54 C1 16 F5 D1 A2 BB D8 F5 98 DF F6 07 65 3A 73 E6 E9 47 DC 55 A3 75 5C D9 8B E8 91 72 88 E0 D3 28 FB EA 3A B7 5E A6 EC 88 1F FF 0B 6E FC DF E6 81 EC 12 28 B2 D5 FF D1 9D 90 05 2D DB D3 76 50 CE 15 16 7A 74 98 08 6D 79 4D 87 05 13 5B 70 90 7F E8 5A 88 40 25 F9 83 F9 92 E9 51 95 A4 E4 39 88 CE 8C 2B 63 E7 96 2C B7 E4 3B 48 33 66 8B 62 23 28 D7 1F 50 C8 0C E6 62 F6 3C CB 16 18 04 ED 90 72 C5 51 B7 EB 92 DB D1 BC CF 45 68 06 4D 67 C7 B2 36 84 81 22 F4 B3 13 C7 67 EE 64 EF 9E 51 0E 18 F9 0F AF CA 2B A5 6E E3 C2 63 FD 8E 91 53 C2 E4 41 17 5C 9B 17 FB 59 C2 67 12 04 93 B7 69 B3 91 3A 2D A6 5E 7B 12 CC 94 7B 66 05 41 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p> <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px"></span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ������������

Extracted

Path

C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������79 8B B2 28 80 DA AB EB 2F 67 AC EF A7 B1 15 6B 88 07 4C 99 FA 0C 1C C5 56 89 D6 C6 62 E3 45 CB 78 45 33 66 10 D4 52 4E 40 A9 85 01 CA F1 5E 39 61 23 28 A1 B2 B4 31 45 B0 AF A7 5C A5 C1 91 66 71 85 60 35 66 4F 94 EB D3 05 F8 36 0F 00 F2 4D 18 61 59 94 43 1C 29 6B B8 2B 84 8F 80 B0 74 90 19 75 1C 4D A9 19 B0 E1 AE D8 22 F2 EA 67 D1 D5 12 8E 19 D2 9F AA 0A 15 23 8C 3B 96 5B B5 79 55 52 2A 3D F6 B7 51 A3 84 6A 02 CA 84 9E D4 68 C0 45 03 CF 56 6C AC B6 C8 D3 65 69 B5 1C 41 CE CD 08 29 14 74 E8 0B FD 5A E4 19 20 3E DC 04 18 43 2D 5E 75 FB E2 8B A6 A3 63 2A AC F6 73 80 E0 1F 87 2A 1D 88 3F D5 8E 84 7D 44 DE 32 1C 72 42 F4 FE 91 5B C2 84 D2 95 21 0B 1F 6C 9A 34 84 2A E9 4E 1F C4 8D 5A B5 EF 2C FF 07 EA B9 81 3D 13 36 3D 43 95 57 80 0E 1D 07 D3 73 A6 55 64 AF 02 8B </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p> <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px"></span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ������������

Targets

    • Target

      d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe

    • Size

      53KB

    • MD5

      22ff4b883468f0b2b21b2c50d5ca5bd9

    • SHA1

      e34f09cf8f1416ab4611a6a18ff99281fad93c70

    • SHA256

      d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893

    • SHA512

      9b37dff34d3ceca993bebda8e6d3f4f4a361af65ec6bdde4be54021be2dc48c176aa0b0ef2bae8433ca2957d5e3c28fe448465c3f816a5ee36a5d395bd8f4405

    • SSDEEP

      1536:oWOeytM3alnawrRIwxVSHMweio36l990:oWOey23alnaEIN/W6lA

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Renames multiple (7515) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks