Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

185fafbeb0...30.exe

windows7-x64

10

185fafbeb0...30.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    185fafbeb00cd8238fdabee088763e27012dd3a0076e04dddca6266f129f0430.zip

  • Size

    679KB

  • Sample

    250223-x6abgswpx6

  • MD5

    5e828d028fcfc235a2db90ce8435d973

  • SHA1

    b13ccf31a495ff0b7e35602bb39c7e46a7d0fbfa

  • SHA256

    0235da1b6cbf432951f9e07b59e2364fd2255bf785e7b66588ee409525aa8b58

  • SHA512

    36d77f7021637e2a07c4e513461dcc4b10cade5d17d70f4892befde565f82fbb9185fc3cbeea3a66be0df97e6519f4ce0ff24daa03e6185b57b591774a154dc7

  • SSDEEP

    12288:OLcMDa1IlKZWBvDDp9NNtd9CXC0gXSUb16R7DHnZi6JNP43zwEna45aW8JL76Oeq:yvDPztdIyPXNJk7DHF6tTMW72qOL

Score
10/10
globeimposterdefense_evasiondiscoverypersistenceransomware

Malware Config

Extracted

Path

C:\Users\Public\Videos\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���08 1B 62 D6 E2 6F AE C6 6E 4B 85 94 70 5C 3B B1 39 83 8A 1A F4 11 50 56 CC 14 92 3B 7F D1 14 4F 35 BD 40 65 BF 3A C9 EE 9F EF 59 9E 35 89 84 EB 4E 5A D7 68 DC A1 C5 3C CD C1 FF FB 68 85 30 A7 9D C6 18 06 1F 00 D5 C5 E5 93 99 6A EA C5 91 9D 71 A1 63 A0 F4 9A 57 E1 F7 60 4A 4D BF F8 13 83 0C 15 F9 59 22 92 D3 55 4B 79 BC CB CA E4 94 74 BD 9C 7A A7 94 58 99 7D 66 1F AD 26 90 C0 51 C4 C7 8C 30 4D 2E F8 F6 96 0A A6 D0 45 55 B9 16 70 C5 44 C8 6F 14 B8 EC 0E 89 D0 40 34 D6 C6 76 CF 40 EC 05 32 B2 D8 7B DD 6A 2C 9D A8 3A 2A 6D E4 EC 82 4A 5E 88 5A 38 F1 C0 49 DF C1 09 8F 1B 03 86 ED EB 49 F7 8B E3 7A 7D 41 33 3E FE A3 57 C9 B6 B8 F8 C1 B4 EC EC 6C B8 CC E6 8B E5 9D 64 25 19 2E EF 19 C6 F0 C9 A7 73 65 24 26 67 98 30 03 F6 20 77 BF 9D 20 15 8C 58 5F 16 9B 03 6F D5 DF
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\Users\Public\Pictures\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���23 9B 5F B7 A4 14 50 EE B8 6B C2 B7 F2 3D 60 76 B4 01 64 2A 40 F4 49 CE 54 FD 8E 64 BF BB 8A 57 67 02 C6 AB 2B 21 1C 93 CB 3B 4D 08 00 2C 09 E3 3A 01 BE 90 3C 10 FF AF 23 63 34 53 69 32 5F EF E1 E6 14 8C 4B 82 37 11 C1 1D DC 2A 35 A8 CE 7D 0D DE 77 55 76 50 AB 17 EC E2 BE AE A0 5F F9 E9 70 A9 25 0E 5F CC 5A 2E F9 BA 70 D4 D8 D2 15 0F 97 35 AA D8 7C 6D 53 CF 28 33 FC 9E F9 25 D9 94 5B 8E C5 88 65 EF AC 70 A7 D9 64 AC 05 78 D2 78 E0 06 36 C4 A2 22 5E BF 16 DB 2F 22 D9 F0 4D CD B0 23 E0 A3 92 7C 93 D7 03 F9 3B 2A 99 D6 A8 B3 90 B2 55 47 80 AD 38 39 62 2A CD AC 7C 88 9D 51 40 01 D2 DE 9A 94 91 D2 18 87 85 CF 84 AD 98 67 7F A8 55 59 9A 3B FA D8 72 4B F1 25 EF C2 A5 9D 03 DD 7E 1F 5C CB 07 59 7E 88 66 F9 29 53 FF E4 B8 52 EC AE C4 AE 35 67 3A DD F9 CC 47 CB 19 50
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      185fafbeb00cd8238fdabee088763e27012dd3a0076e04dddca6266f129f0430.exe

    • Size

      884KB

    • MD5

      034580c52732e52a382f4d550c34f09c

    • SHA1

      bd4f5d3d0ca9d9d80f001666435f5d88006e75b8

    • SHA256

      185fafbeb00cd8238fdabee088763e27012dd3a0076e04dddca6266f129f0430

    • SHA512

      300f9215a323e87d808791381bfc6e56d5fdfd8c0dcf9ceb19474e30e67557951d501da4a7a6cfdd5992450dc17bdd37144f342ab5ec9f7ec0f449e703c79074

    • SSDEEP

      12288:xroyEyv4LcKJYtcYpnOFWxLNRG2t8ruYwvs8VydFw5fawhyoUMFWcBN8gqJ:xrLv4L3YCcLNkcTMFw5fyHo

    Score
    10/10
    globeimposterdefense_evasiondiscoverypersistenceransomware

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Globeimposter family

      globeimposter

    • Renames multiple (8657) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks