General

  • Target

    220330-ky21bafbdq

  • Size

    56KB

  • Sample

    240228-lcmtyagb3s

  • MD5

    cadf573e4ca120639a1e5484e985938d

  • SHA1

    ff0d09efbb1495982073291351a81de59e2c3c0d

  • SHA256

    7375b2047d519fffcbe1191522efbf73dcda6073a4fc9b77f01f009c437a2fe8

  • SHA512

    a8496afe762828b23f3568c49954a7c84c2390e0b2d2bb54c141fa9af2db390fd1f0a7582a006ed2b315fd074e4a2268bfdc52a1923f1a28e706000db92015ef

  • SSDEEP

    1536:gmPeytM3alnawrRIwxVSHMweio3yHLBCo:pPey23alnaEIN/WyHLBCo

Malware Config

Extracted

Path

C:\Users\Public\Videos\Read Me!.hTa

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>Lord Bomani Encrypted your File;(</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <h2><span style="text-decoration: underline; color: #000000;"><strong><em>All your files have been encrypted!<img src="https://yoursmiles.org/bsmile/fun/b0222.gif" alt="[email protected]" /></em></strong></span></h2> </div> <div class="bold">All your files have been encrypted due to a security problem with your PC.</div> <div class="bold">If you want to restore them, write us to the e-mails:&nbsp;<span style="color: #800000;"><a style="color: #800000;" href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span style="color: #ff0000;"><a style="color: #ff0000;" href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span style="color: #0000ff;"><a style="color: #0000ff;" href="mailto:[email protected]">[email protected] </a></span>&nbsp;<span style="text-decoration: underline;"> </div>(for the fastest possible response, write to all 3 mails at once!)</span></div> <h4 class="bold"><span style="text-decoration: underline;"><em><strong>Write this ID in the title of your message:</strong></em></span></h4> <p><span style="text-decoration: underline; color: #0000ff;"><em><strong> ���61 0C F8 1E 8C 9E FD 7C 3F 6D 3E 10 DD BD 56 83 26 50 5F 10 A3 78 7C C8 CA B5 ED 5B 6C 82 6C 20 49 95 A2 8D 0D A6 66 83 65 E8 35 EF CC 97 26 69 C7 B8 21 25 0A F8 20 C3 6F DD ED 7D 67 12 41 ED 99 A2 B2 EA 5D B6 9E 0D 45 E2 D9 8C E8 32 2C 9E 8B 29 CD AC DD C2 DE 3D A1 20 E4 7B 9C 51 E2 FB CD 2C 47 1A B3 77 BA 69 34 9D F0 E7 BD FC B5 EC 2D 0E 40 51 44 E2 67 47 70 16 3D 3F C9 CE 0C 2C C8 23 C8 2A 0B 4B BB 38 B3 FE 06 E4 72 78 E7 9F 16 7E C8 8F DC E3 E1 F4 B7 A2 81 03 10 3A 76 DD FB D0 2C CC 1C 80 82 8B 77 C2 54 DF 8F 62 73 5C E5 97 DF 3A 60 C2 4C FF 46 FA F4 3A AA A4 B8 37 DC AC 47 A4 5C 4A 99 2A D3 54 01 F9 A4 66 B4 07 00 AA DD FD B0 F0 46 D6 91 99 31 A4 7E 40 A4 9C 2C 9C A1 51 91 4B AD 0D AB 1B 00 63 A3 E1 E2 AD F5 E3 A4 FC 4F D4 03 EC 54 1E 0B A3 4F 7F 60 7D </strong></em></span></p> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> <li>We also upload a huge amount of your personal data, including confidential information, financial information, customer personal information, passwords, and so on. Everything that we downloaded will be leaked for public use in case of non-payment or after the expiration of your key for decrypting files. </li> <li>Hurry up! The decryption keys for your files may be overwritten and then recovery of your files will not be possible! (this usually happens a week after encrypting your files.)</li> </ul> </div> </body> </html>��������
Emails

alt="[email protected]"

href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span

href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span

href="mailto:[email protected]">[email protected]

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Public\Videos\Read Me!.hTa

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>Lord Bomani Encrypted your File;(</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <h2><span style="text-decoration: underline; color: #000000;"><strong><em>All your files have been encrypted!<img src="https://yoursmiles.org/bsmile/fun/b0222.gif" alt="[email protected]" /></em></strong></span></h2> </div> <div class="bold">All your files have been encrypted due to a security problem with your PC.</div> <div class="bold">If you want to restore them, write us to the e-mails:&nbsp;<span style="color: #800000;"><a style="color: #800000;" href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span style="color: #ff0000;"><a style="color: #ff0000;" href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span style="color: #0000ff;"><a style="color: #0000ff;" href="mailto:[email protected]">[email protected] </a></span>&nbsp;<span style="text-decoration: underline;"> </div>(for the fastest possible response, write to all 3 mails at once!)</span></div> <h4 class="bold"><span style="text-decoration: underline;"><em><strong>Write this ID in the title of your message:</strong></em></span></h4> <p><span style="text-decoration: underline; color: #0000ff;"><em><strong> ���57 8D E9 5B 5D 7D 4C 2B 44 CF E3 5D 48 40 3C AF 4E 2B 87 1D A3 AF 2A 6D 4B 31 CE D5 1B 44 B4 69 C4 9A AC 14 04 66 BA E7 6C A8 23 67 08 C6 A2 45 C6 68 19 24 3B 3F A4 C9 7A 14 9F 85 91 88 35 4C CB F6 41 EA 7D B1 38 6A 73 75 98 DC 6F 67 3A 77 07 52 D3 22 0E FD BF 59 8E 3E DE 8E 44 DD 20 5E 7E 36 E1 C2 E0 9A 29 55 81 D9 3A 9E 89 86 90 D9 98 A3 16 43 B7 AE D3 50 EF 5B E0 97 EA 19 BB E3 BD 48 AB E1 61 B9 8D 4D 37 A3 2C 08 AA AA B4 4C B9 D7 DC 2B 57 AE 0C 88 5D 0D 2C 11 0A 4A E4 B3 4C 1D 88 90 C6 D9 34 1E 00 36 C9 03 89 63 24 3A 61 ED D1 75 C7 EA B4 11 78 8A 9A 88 16 DA 47 EE 22 6D E9 38 85 BB 15 C8 66 3D AD 68 7A 7A 71 2C 4B 81 21 67 0C 81 FF 23 FB E4 1B 49 33 E5 C1 9B 5C F5 0D 55 4E 3F 43 27 83 16 54 F3 74 48 82 DD 73 EC 04 84 B6 39 CA D6 EA 08 7E 91 D6 91 AA 90 </strong></em></span></p> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> <li>We also upload a huge amount of your personal data, including confidential information, financial information, customer personal information, passwords, and so on. Everything that we downloaded will be leaked for public use in case of non-payment or after the expiration of your key for decrypting files. </li> <li>Hurry up! The decryption keys for your files may be overwritten and then recovery of your files will not be possible! (this usually happens a week after encrypting your files.)</li> </ul> </div> </body> </html>��������
Emails

alt="[email protected]"

href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span

href="mailto:[email protected]">[email protected]</a></span>&nbsp;and&nbsp;<span

href="mailto:[email protected]">[email protected]

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Targets

    • Target

      220330-ky21bafbdq

    • Size

      56KB

    • MD5

      cadf573e4ca120639a1e5484e985938d

    • SHA1

      ff0d09efbb1495982073291351a81de59e2c3c0d

    • SHA256

      7375b2047d519fffcbe1191522efbf73dcda6073a4fc9b77f01f009c437a2fe8

    • SHA512

      a8496afe762828b23f3568c49954a7c84c2390e0b2d2bb54c141fa9af2db390fd1f0a7582a006ed2b315fd074e4a2268bfdc52a1923f1a28e706000db92015ef

    • SSDEEP

      1536:gmPeytM3alnawrRIwxVSHMweio3yHLBCo:pPey23alnaEIN/WyHLBCo

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Renames multiple (8658) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Blocklisted process makes network request

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks