Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
28-02-2024 09:23
General
-
Target
220330-ky21bafbdq.exe
-
Size
56KB
-
MD5
cadf573e4ca120639a1e5484e985938d
-
SHA1
ff0d09efbb1495982073291351a81de59e2c3c0d
-
SHA256
7375b2047d519fffcbe1191522efbf73dcda6073a4fc9b77f01f009c437a2fe8
-
SHA512
a8496afe762828b23f3568c49954a7c84c2390e0b2d2bb54c141fa9af2db390fd1f0a7582a006ed2b315fd074e4a2268bfdc52a1923f1a28e706000db92015ef
-
SSDEEP
1536:gmPeytM3alnawrRIwxVSHMweio3yHLBCo:pPey23alnaEIN/WyHLBCo
Score
10/10
Malware Config
Extracted
Path
C:\Users\Public\Videos\Read Me!.hTa
Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'>
<html>
<head>
<meta charset='windows-1251'>
<title>Lord Bomani Encrypted your File;(</title>
<HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu="no">
<script language='JScript'>
window.moveTo(50, 50);
window.resizeTo(screen.width - 100, screen.height - 100);
</script>
<style type='text/css'>
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background: #EDEDED;
}
img {
display:inline-block;
}
.bold {
font-weight: bold;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
text-align: center;
font-size: 30px;
line-height: 50px;
font-weight: bold;
margin-bottom:20px;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
.footer {
position:fixed;
bottom:0;
right:0;
text-align: right;
}
</style>
</head>
<body>
<div class='header'>
<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='>
<h2><span style="text-decoration: underline; color: #000000;"><strong><em>All your files have been encrypted!<img src="https://yoursmiles.org/bsmile/fun/b0222.gif" alt="[email protected]" /></em></strong></span></h2>
</div>
<div class="bold">All your files have been encrypted due to a security problem with your PC.</div>
<div class="bold">If you want to restore them, write us to the e-mails: <span style="color: #800000;"><a style="color: #800000;" href="mailto:[email protected]">[email protected]</a></span> and <span style="color: #ff0000;"><a style="color: #ff0000;" href="mailto:[email protected]">[email protected]</a></span> and <span style="color: #0000ff;"><a style="color: #0000ff;" href="mailto:[email protected]">[email protected] </a></span> <span style="text-decoration: underline;">
</div>(for the fastest possible response, write to all 3 mails at once!)</span></div>
<h4 class="bold"><span style="text-decoration: underline;"><em><strong>Write this ID in the title of your message:</strong></em></span></h4>
<p><span style="text-decoration: underline; color: #0000ff;"><em><strong>
���61 0C F8 1E 8C 9E FD 7C 3F 6D 3E 10 DD BD 56 83
26 50 5F 10 A3 78 7C C8 CA B5 ED 5B 6C 82 6C 20
49 95 A2 8D 0D A6 66 83 65 E8 35 EF CC 97 26 69
C7 B8 21 25 0A F8 20 C3 6F DD ED 7D 67 12 41 ED
99 A2 B2 EA 5D B6 9E 0D 45 E2 D9 8C E8 32 2C 9E
8B 29 CD AC DD C2 DE 3D A1 20 E4 7B 9C 51 E2 FB
CD 2C 47 1A B3 77 BA 69 34 9D F0 E7 BD FC B5 EC
2D 0E 40 51 44 E2 67 47 70 16 3D 3F C9 CE 0C 2C
C8 23 C8 2A 0B 4B BB 38 B3 FE 06 E4 72 78 E7 9F
16 7E C8 8F DC E3 E1 F4 B7 A2 81 03 10 3A 76 DD
FB D0 2C CC 1C 80 82 8B 77 C2 54 DF 8F 62 73 5C
E5 97 DF 3A 60 C2 4C FF 46 FA F4 3A AA A4 B8 37
DC AC 47 A4 5C 4A 99 2A D3 54 01 F9 A4 66 B4 07
00 AA DD FD B0 F0 46 D6 91 99 31 A4 7E 40 A4 9C
2C 9C A1 51 91 4B AD 0D AB 1B 00 63 A3 E1 E2 AD
F5 E3 A4 FC 4F D4 03 EC 54 1E 0B A3 4F 7F 60 7D
</strong></em></span></p>
<div>
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
</div>
<div class='note info'>
<div class='title'>Free decryption as guarantee</div>
<ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul>
</div>
<div class='note info'>
<div class='title'>How to obtain Bitcoins</div>
<ul>
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
<br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>
<br> Also you can find other places to buy Bitcoins and beginners guide here:
<br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a>
</ul>
</div>
<div class='note alert'>
<div class='title'>Attention!</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li>
<li>We also upload a huge amount of your personal data, including confidential information, financial information, customer personal information, passwords, and so on.
Everything that we downloaded will be leaked for public use in case of non-payment or after the expiration of your key for decrypting files. </li>
<li>Hurry up! The decryption keys for your files may be overwritten and then recovery of your files will not be possible! (this usually happens a week after encrypting your files.)</li>
</ul>
</div>
</body>
</html>��������
Emails
alt="[email protected]"
href="mailto:[email protected]">[email protected]</a></span> and <span
href="mailto:[email protected]">[email protected]</a></span> and <span
href="mailto:[email protected]">[email protected]
URLs
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Renames multiple (8658) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 38 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\220330-ky21bafbdq.exe"C:\Users\Admin\AppData\Local\Temp\220330-ky21bafbdq.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\220330-ky21bafbdq.exe > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f0f4fee92e78cd41a4c42338a4260538
SHA1dd5a0779befb1a52f5d00e62feac948cf03cbef0
SHA256695f3146810ac93ad6e56edf580c796da68dbc3616baeeb9c626602e61faf994
SHA5127d1e13481785fb803c71f747ad1f81d5e750e68cbdb466edb2e11e0e3eda0aa4d592bdc468226f77d95ed7ea6faa2726fcbbc2044906aeb0248fbe01023849ac
-
Filesize
7KB
MD588dd5e7f82482f3a861b36a679413ccb
SHA10b7373932b08f52e003952a2c9a435d9453615ed
SHA2566e6b56e337af32fd83d2042c6bf5483dd1a78b730755c81555ccd47e7640c52a
SHA512c0ce30f6f58a348ab1280ff6fdeb454fcf88dd715ca8b1bdf196cff015f264636e2c878ea39d7175941c6e293f89a5a8f3e1993b4aebf589c87df08bf572b34d
-
Filesize
59KB
-
Filesize
59KB