Overview

overview

10

Static

static

3

2024-06-12...er.exe

windows7-x64

10

2024-06-12...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-12_5dac31f7671442a49295cbf7cafc7c0e_globeimposter.exe

  • Size

    55KB

  • MD5

    5dac31f7671442a49295cbf7cafc7c0e

  • SHA1

    a46d5bdd7104ec2d971a163ba94ade6021896083

  • SHA256

    70104208036d4ad6a857eb0554b6fd84e01b732ea84accc52d18579a5464b91e

  • SHA512

    888f1a01e3684cc22b4ac714806cc61f9a8ade583071ade8ddceece8ac87891629cf2ec74496114d7934a075dea20163828961249c0919f514f5af415c14c6bf

  • SSDEEP

    1536:EJi+8UluOXSC5liawrEDKyzirwQu8PfPYgI+:O18OuOXSC5liaFDu0uDI+

Score
10/10
persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #FFFFF0; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 5px; outline: 8px solid #303030; border: 8px solid #303030; color: #FF0000; background: #FFF0F5; } .tabs1 .identi { margin-left: 0px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; outline: 8px solid #303030; border: 8px solid #303030; background: #FFF0F5; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; outline: 8px solid #303030; border: 8px solid #303030; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #FFF0F5; color: #303030; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top:0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3><strong>Your personal ID</strong></h3></div> <div class="identi"> <pre><p style="color:#303030"><strong> �������8C 3A 59 8B 58 0D B5 07 72 F4 D4 52 ED 7F 0B E5 29 25 01 A7 28 98 F6 10 66 84 30 FB 64 DA 91 50 0D C5 89 85 0F 6A 56 83 01 32 ED 9D EF 6B B0 F4 7E 0A 8D 13 82 47 4F 32 8E 73 F2 30 BC C2 B9 A1 97 D1 8A 9A CF 2C D2 11 39 61 40 B0 21 4A F6 E7 BF 0E B0 7E 0D 5B 6D A1 DE 05 64 DE 82 77 75 CE 79 B6 08 E7 D9 4F ED B8 1D D5 2E 00 51 7D ED 36 9F CF 54 71 CC 2D 05 7C 60 8C CF 2E F2 1E 47 7C 30 56 D7 BB 5E 5B 7B AA 0B 56 F0 08 8B 26 82 F9 FB 96 89 60 03 D5 30 1A 14 CC 69 67 2A C0 4B 3F 24 AF E0 B8 04 B3 42 72 1C EC 78 E9 A7 7F 80 A9 74 9A 0E F9 AC D2 0A 66 FA B0 86 38 AE E9 57 4F B0 21 26 A0 CF 99 CE 3C 0D 25 14 DB 43 EA AB 0E DA 77 90 49 13 16 F5 4F 7D CC 3A 27 84 49 F3 02 4C DE 24 4F 82 08 6F 23 AE A3 E5 F1 05 2B 82 69 69 4E 1C D4 FB 95 E2 E4 86 7F 3C AD E5 0B 20 5C </strong></p> </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <strong> <h1> <strong> Your files are encrypted! </h1> <hr color="303030" noshade size="8"> <h3><strong> &#11015 To decrypt, follow the instructions below. &#11015 </strong> </h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 crypted test image or text file or document to <span> [email protected]</span></br> (Or alternate mail [email protected])<p> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <hr color="Red" noshade size="8"> <center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center> <center><p style="color:#0000FF"> Do not contact other services that promise to decrypt your files, this is fraud on their part! When you contact them, they will write to [email protected] , and buy the decoder from us, but they will increase the cost of decryption for their services!</p></center> <hr color="Red" noshade size="8"> </strong> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

Signatures

  • Renames multiple (9057) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 30 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_5dac31f7671442a49295cbf7cafc7c0e_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_5dac31f7671442a49295cbf7cafc7c0e_globeimposter.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-06-12_5dac31f7671442a49295cbf7cafc7c0e_globeimposter.exe > nul
      2⤵
        PID:2412

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2080292272-204036150-2159171770-1000\desktop.ini
      Filesize

      1KB

      MD5

      fab71d13dd084a8218772aa822f237cf

      SHA1

      27a06e5c769466ad7c44c458b18213bcdabeccfa

      SHA256

      0634b08b3fd3f0bf0f6252c0bd722e2f9b2f994d571f4dd4daf38961b9b6ba7d

      SHA512

      a91da2d990c153adce86c27e4264e0c1b4a35c1395a69aa3a57bbbe55e9f21605a9170b35a7d6dd45b7f633028d5b13e076c153a698bcbb0e54ff014f19e3448

      Download Submit

    • C:\Users\Public\Videos\how_to_back_files.html
      Filesize

      5KB

      MD5

      dda834441ef12709551f24a61172f1c6

      SHA1

      0eb8fe8c40d935bc171a1c84169449ea3a1c75be

      SHA256

      88f5041558c544318ab051a09e2633747f534850847d91e32e88dfdb564a3db5

      SHA512

      b21694f2c14a8a6e60d44eb627f727c4d8050c11e1669c58cbfcd603571736957d2a3b74acc618525bb896c2e2e2eced20aafa10c5ba778b7ba123e92c115817

      Download Submit