Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-01-24...er.exe

windows7-x64

10

2025-01-24...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-01-24_1501a928d3559da3a5605425242b1fe3_globeimposter

  • Size

    55KB

  • Sample

    250124-dypxesxlcs

  • MD5

    1501a928d3559da3a5605425242b1fe3

  • SHA1

    f19ea38c2bffcc1d8e79936db6ca8c674e9abfa8

  • SHA256

    a5cbe78cc610852573a81dc3f028af6ceb22e0d425f9f1ada37fbba8a1bf9ecf

  • SHA512

    301a1a80e8278898c47095630605e4e752d148ab556601b08eaba686d471556f83936a306f82ed64c8c5a403d1f807f6cab1890719e939420f3e4186fc275092

  • SSDEEP

    1536:4kjkfV+KJolntwrbDSTWvTwhQMhmpdLte48:4k4fIKJolntGDT5qm3LEn

Score
10/10
globeimposterdiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\HOW_TO_BACK_FILES.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������44 44 09 CB BD DD 22 FB F9 B9 FA 46 66 1A FF A8 13 F6 F7 3B 05 3E 94 B2 27 61 0C 23 F4 66 ED 60 E3 0F 12 CC 5F A4 3C 73 1B EC 00 C0 41 F6 DB 76 D6 85 E2 54 42 F4 5F 04 59 D5 04 0D 17 6F D2 50 A1 FF 88 99 B5 21 CB 83 DB E8 D4 52 67 F4 32 08 91 58 BD F5 A9 3D CF 75 F4 BE 95 FC 8D 70 39 E7 C5 34 BD BA 8B A5 2B F1 C7 15 D1 01 E8 06 AA A1 4D 72 4E 71 3A 0C E6 6E 33 68 96 A0 8B 74 F6 F1 91 D9 13 2A 6E EC E6 17 E0 2E B6 00 E6 21 5B C2 1E B7 B8 9D 2B E8 04 13 A5 ED A4 9C D9 C8 0F 53 84 9D 3E 95 F5 40 83 F8 AF 29 40 21 3E 1F 7C 39 5C F9 03 6D 4C A2 9B 2A D3 68 05 6F 71 EB B9 D9 68 18 FE DB 76 67 99 8E 10 92 83 97 F3 55 2B D7 E2 8A D0 BB 2B E2 05 2C 6A 95 5F 30 00 24 8A AF 01 26 0E 5B 00 AC 2F F8 A2 1B F9 AF 12 33 C2 D0 7E 34 C2 FB 3E 11 B6 6C 97 37 F7 BF 38 AB BB FE </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your files are encrypted! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> <h3>To recover data you need decryptor.</br> To get the decryptor you should:</br> 1. Copy your personal ID. You can find it at the beginning of this page<br> 2. Contact support by email [email protected] or [email protected] and send your personal ID.</h3> In the first letter to us you can attach one encrypted file for free decrypt. We can decrypt one file in quality the evidence that we have the decoder.</br> <center>Attention!</center></br> <ul> <li>If files locked on multiple PC's of your company we will provide universal decryptor for all computers in your network. Please let us know if files encrypted on multiple PCs</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������

Extracted

Path

C:\Users\Public\Videos\HOW_TO_BACK_FILES.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 15px; color: #000000; background: #4A83FD; } .tabs1 .identi { margin-left: 15px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top: 0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>���������������0B 76 EA DB 03 98 5E BE 0C 17 51 3F CE 29 E2 06 69 4F F3 BB AF B1 DC 35 E1 5C B4 BB B3 66 1D C5 8F C0 DC B8 FC DA 1B 8E FC 43 75 A9 FD 65 2A 9A 85 CC AC EE 88 58 0F 15 C2 11 78 3D C5 03 83 21 4D 7B 71 B8 EC 18 9E CE 95 DC C7 5D 27 5E D7 8E 7E 05 59 17 63 77 59 EC A6 C4 CE EB 69 52 FE D5 93 72 B0 DC 96 6F EF FB FA 57 DC 6C F0 AA 9E 55 D0 19 E8 18 50 53 15 C6 61 6D 89 E7 E0 00 82 72 5E FE A4 4B D4 EC 4F 8B C7 28 86 06 E9 0C 75 A8 93 17 CA DF 4F 79 1D 12 B2 BC E9 05 D1 D0 55 11 12 F4 5D 0E FC EF EB E6 FE BD FE 2D 4E 50 4F 23 2A 6E 93 42 0B 0E 20 CD 39 32 24 D7 BF 20 16 98 EC 6A A4 DA 48 8E 97 97 4D 38 9E 6F AA 0D 37 BF 26 8E 45 93 E9 32 08 C2 2C 27 7E 2E 9B 3E 97 65 C7 91 72 9E 24 D4 D6 D0 66 8E 0D D4 6E 5A 82 1B 65 6B 71 80 EE 67 37 35 E7 0A 63 94 6D 08 4E F7 </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9760; Your files are encrypted! &#9760;</h1> <hr/> <h3>All your important data has been encrypted.</h3> <br/> <div class="text"> <!--text data --> <h3>To recover data you need decryptor.</br> To get the decryptor you should:</br> 1. Copy your personal ID. You can find it at the beginning of this page<br> 2. Contact support by email [email protected] or [email protected] and send your personal ID.</h3> In the first letter to us you can attach one encrypted file for free decrypt. We can decrypt one file in quality the evidence that we have the decoder.</br> <center>Attention!</center></br> <ul> <li>If files locked on multiple PC's of your company we will provide universal decryptor for all computers in your network. Please let us know if files encrypted on multiple PCs</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �����������

Targets

    • Target

      2025-01-24_1501a928d3559da3a5605425242b1fe3_globeimposter

    • Size

      55KB

    • MD5

      1501a928d3559da3a5605425242b1fe3

    • SHA1

      f19ea38c2bffcc1d8e79936db6ca8c674e9abfa8

    • SHA256

      a5cbe78cc610852573a81dc3f028af6ceb22e0d425f9f1ada37fbba8a1bf9ecf

    • SHA512

      301a1a80e8278898c47095630605e4e752d148ab556601b08eaba686d471556f83936a306f82ed64c8c5a403d1f807f6cab1890719e939420f3e4186fc275092

    • SSDEEP

      1536:4kjkfV+KJolntwrbDSTWvTwhQMhmpdLte48:4k4fIKJolntGDT5qm3LEn

    Score
    10/10
    globeimposterpersistenceransomwarespywarestealerdiscovery

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Globeimposter family

      globeimposter

    • Renames multiple (7547) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks