General

  • Target

    b07f583e8617d0e4faa3982b5613cda10db48a28c4d9909bae93ccafec153e74

  • Size

    28KB

  • Sample

    240209-fxbphsfh8s

  • MD5

    90255ae1646ecba250ab9ca42a4edc48

  • SHA1

    bddeef1b3cfbe118e6add46891a8cc7ca751f31f

  • SHA256

    b07f583e8617d0e4faa3982b5613cda10db48a28c4d9909bae93ccafec153e74

  • SHA512

    0a810e6ed2b9b6af8cd78142591f58f7b0d1dae13b33f50bd3706f660aa150d28c1d22fe1e43e5e248a1366285fe853f6c787e963aea3e0cc2b392f5609e5a3c

  • SSDEEP

    768:bjTayKkchH+P4260n3+5j7LitHzGS/YtMzM8v:P2jheDnuJitHbU8v

Malware Config

Extracted

Path

C:\Users\Public\Music\Sample Music\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������30 44 9D 8A B7 48 E1 0F E8 01 65 87 B9 A5 A1 0C 54 37 BC 24 7A 5C 55 D8 BD F4 14 AF E2 80 52 C7 FF AA 3F DC 84 4D 59 9A BD DA A1 BF AA 4D 48 0E 01 4F 70 BA 2B 76 10 8B 7C 74 93 C8 78 80 9E 05 39 91 F8 72 ED E8 E1 E6 34 89 EF 49 90 66 35 97 42 D4 B4 A9 74 28 2B 99 5A F1 36 C7 DE 6C 3B 1E 95 2B A8 EB BC 8A 94 77 88 81 4F AF DB 6C 46 1F 30 5E 90 4D 77 D4 88 EA F4 E1 44 CB 3C E2 F0 88 EB 2B 58 AC BE 37 7A 08 86 0C 05 86 22 92 58 74 E1 6C 46 01 81 04 D3 19 8D AF 13 2F 8C AC 82 B8 B9 A8 3F 54 0B B2 B3 29 C0 EB E3 2C 51 E0 CB BA D4 D9 69 85 48 D4 89 2C 2B 14 41 C9 A6 EE F3 CC 97 1E 51 4C E0 12 81 F2 EE F7 53 43 39 2E 16 AD 74 9E 00 9B 44 B8 89 3F 84 1D 06 9E 0C 1E BE 39 18 2A 25 70 94 31 9C 17 40 FE CB 5D 8F 4A 8F A1 7C 93 F7 25 28 E0 F1 D7 38 E5 CB DC A8 A7 97 18 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p> <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px"></span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ������������

Extracted

Path

C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������C8 C5 63 35 B3 DF 54 65 CF FB 4B 63 E7 2B 77 52 76 A6 6B E4 7B 04 95 A0 44 D8 C9 94 36 A2 A3 8B F5 94 87 1A 79 3E 6A 76 90 C9 86 C1 67 06 D8 5A 98 0F 9B AF EB FF 93 F5 52 B5 0C 65 76 B6 81 6C DC 95 07 EC 45 3B 0F F0 D3 99 72 ED 77 D7 EC 94 B8 CC B8 AD 38 6F 1B 17 D8 4E A1 EF EE AE C8 C2 C1 08 73 73 D4 CE C9 29 D6 AE 4B D3 EB 02 11 0F A9 C4 E1 05 2B 0C 4D 4A 8D 74 31 9D CE 41 42 A5 0B 94 7F C3 73 9E 64 2F D7 41 7D 64 27 A4 95 2E 31 2B BF DF 33 6A D5 68 5D 30 77 55 0F 04 8F B8 7C F6 74 9A 1D 01 07 36 37 6D 80 14 FA 5E 81 4E 31 85 45 5E 3F BF BD C8 CE 71 61 48 EE B2 9E AA 72 C4 04 32 AB D1 82 04 C2 04 64 58 1C F7 B6 6C 96 71 0E 1F 15 24 EC E3 0C B7 97 3B C7 60 AE 9C F1 68 81 AB 8F 8E 2A 14 14 46 79 F0 19 18 D8 05 37 2F EB 15 D0 63 4B F8 24 F3 55 29 31 F2 BA B2 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p> <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px"></span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ������������

Targets

    • Target

      d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe

    • Size

      53KB

    • MD5

      22ff4b883468f0b2b21b2c50d5ca5bd9

    • SHA1

      e34f09cf8f1416ab4611a6a18ff99281fad93c70

    • SHA256

      d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893

    • SHA512

      9b37dff34d3ceca993bebda8e6d3f4f4a361af65ec6bdde4be54021be2dc48c176aa0b0ef2bae8433ca2957d5e3c28fe448465c3f816a5ee36a5d395bd8f4405

    • SSDEEP

      1536:oWOeytM3alnawrRIwxVSHMweio36l990:oWOey23alnaEIN/W6lA

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Renames multiple (7487) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks