Analysis

  • max time kernel
    54s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2024 08:10

General

  • Target

    b1d5de9be399b181dc0e78fec870aac448548440e7529d8c5e1a95192733f2ed.exe

  • Size

    57KB

  • MD5

    c9787298b457ea192a92a3ad87241cc0

  • SHA1

    c29fb65ebe6134313cb744b3d0e288bfef93163e

  • SHA256

    b1d5de9be399b181dc0e78fec870aac448548440e7529d8c5e1a95192733f2ed

  • SHA512

    d88951466191ebe4b53981dbbb42889b3613a1574f51871b20191abe5867d1c647b19bddf1e4959ca42d2784a6c9f535e767a9938b8d6ecae08c61780b9e6f52

  • SSDEEP

    1536:ajkfV+KJolntwrbDSTWvTwhQMhmpdLWTQZP:a4fIKJolntGDT5qm3L4w

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>�������������C0 5D CA 64 B1 06 02 85 01 CD DE B7 A0 80 6F 11 BF 97 A0 7F FB DD BF DF E5 6E DF 9A 3F D0 17 47 37 E9 50 B4 2D E8 6D B6 15 22 8C DB E0 70 94 DC 53 39 42 18 1B 13 64 FA 56 84 51 C7 B9 2A 4A E1 01 70 A3 76 70 C0 D3 B3 37 1A BD FF 4A 35 0A BC 69 7B 9C 11 23 D9 77 91 F7 90 DB A1 8E EA 69 0A CC 1D 0F 85 10 D6 9E 50 DE 6A 94 28 B7 08 F6 9B 2B 00 BA 09 D5 D9 2E 7F 04 A9 B8 F9 65 63 60 6A 93 4F D6 1E 65 1A DF DC E3 67 D6 FB 20 03 63 05 20 45 38 23 D5 04 35 B2 F7 8D 57 18 08 74 42 53 BD 8D 7B E5 99 80 5E 71 2A 1E 2A 6F F4 05 4B 35 4C 93 0D 3A 9E 97 6F 13 69 B2 DD 80 5C 3D F8 B2 BD 22 45 24 A9 BE 6B 34 38 E6 E5 3A C9 3A 03 AD B1 55 1A BA 33 32 D4 67 BA BE 67 F5 44 38 5A 5D 85 63 6A A8 5C 6C 82 0C E9 2D DB 5A 51 FC D6 B2 06 F8 B2 1B 44 EC 15 39 C2 7A 3F 94 04 5D 3B 01 </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> <h3>To restore files you will need a decryptor!</h3> <center>To get the decryptor you should:</center></br> <center>Pay for decrypt your network 1.5 BTC ( this is price for all PC/Servers in your corporate NetWork ! )</center></br> <div align="left"> <strong>Buy BTC on one of these sites</strong> </div> <div align="left"> <ol> <li><strong>https://binance.com</strong></li> <li><strong>https://www.coinbase.com</strong></li> <li><strong>Any site you trust</strong></li> </ol> </div> <div align="left"> <h1><br> </h1> </div> <div align="left"> <center>&#10004; BTC Wallet for pay: 3DRt**********************EiKj (full wallet ask from support) !Attention! to payout wallet specifically for your company must begin with and finish with symbols indicated above, if you are offered any other wallet - know it's not us, but someone else! do not pay anything- you just lose money. </center></br> &#10004; Our contact: <center> </center></br> &#9998; ToxID: CA04B61C320C50D12A2C1B95B5062474B5C00B995B588D0B3781DC052CBF9A354CD10F96C84D <center> </center></br> &#9998; You can download TOXChat here : <a href=>https://tox.chat/download.html</a> <center> </center></br> The message must contain your Personal ID! it is at top of this document. <center> </center></br> <center>----------------------------------------------------------------------------- <center> Also, your corporate files and databases have been stolen from your network. In case of non-payment, we reserve the right to sell them to third parties or publish them in public resouses. <center> </center></br> HOW IT WORKS: <div align="left"> <li> In case of non-payment, we organize an auction on various sites in DarkNet and try to sell files leaked from your network to interested parties. <div align="left"> <li> Next, we use mail + any other contacts of your clients, and notify them of what happened, perhaps they will be interested so that information does not get into public domain and will be ready to buy out information separately. <div align="left"> <li> If there are no buyers willing to buy, we simply publish everything that we have in public resources. <center>----------------------------------------------------------------------------- </center></br> <center> Attention!</center></br> <ul> <center> If you need a decrypter or return information, please contact us directly, avoid communicating with helper-services, they often take money and do not send it to us, assuring customers that deal failed through no fault of theirs. At same time, leaving money to yourself, and client is informed that money were transferred to us. The guarantee of a successful deals is only a direct contact! If you decide to negotiate not own - we can request confirmation of the negotiator's authority directly from the company. Please do not ignore these requests - otherwise negotiations will reach an impasse and problem not will be resolved. Don't shy... It's just business for us and we are always ready for polite and mutually beneficial communication. <center> </center></br> <center> </center></br> <center> </center></br> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>�����������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Renames multiple (2271) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 28 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1d5de9be399b181dc0e78fec870aac448548440e7529d8c5e1a95192733f2ed.exe
    "C:\Users\Admin\AppData\Local\Temp\b1d5de9be399b181dc0e78fec870aac448548440e7529d8c5e1a95192733f2ed.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:1844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Videos\how_to_back_files.html

    Filesize

    6KB

    MD5

    b14fee046cde5c028c9a929ebe51e7bb

    SHA1

    71288ac1db1a044708a9cc48c7e7dc6e49d6bbb0

    SHA256

    e9a46ebce680496639bd5c5ca083c94fbe234198236993b170458dfdc71cf9d7

    SHA512

    628dbe12652b80af502c66d229223f5dc0d6fe0b5744aa31551af72524ecdaa0de172a029c5981b32afa4dacb1c5f22b58a43b56b3502e78024ec4103b35a32e

  • memory/1844-0-0x0000000000400000-0x000000000040F400-memory.dmp

    Filesize

    61KB

  • memory/1844-1586-0x0000000000400000-0x000000000040F400-memory.dmp

    Filesize

    61KB