Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

185fafbeb0...30.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    185fafbeb00cd8238fdabee088763e27012dd3a0076e04dddca6266f129f0430.zip

  • Size

    679KB

  • Sample

    250223-xy7a9avlat

  • MD5

    5e828d028fcfc235a2db90ce8435d973

  • SHA1

    b13ccf31a495ff0b7e35602bb39c7e46a7d0fbfa

  • SHA256

    0235da1b6cbf432951f9e07b59e2364fd2255bf785e7b66588ee409525aa8b58

  • SHA512

    36d77f7021637e2a07c4e513461dcc4b10cade5d17d70f4892befde565f82fbb9185fc3cbeea3a66be0df97e6519f4ce0ff24daa03e6185b57b591774a154dc7

  • SSDEEP

    12288:OLcMDa1IlKZWBvDDp9NNtd9CXC0gXSUb16R7DHnZi6JNP43zwEna45aW8JL76Oeq:yvDPztdIyPXNJk7DHF6tTMW72qOL

Score
10/10
globeimposterdiscoveryransomware

Malware Config

Extracted

Path

C:\Users\Public\Pictures\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���BE 3E 9C E5 AF F3 6B 2E 58 99 E6 3A 7C 6E A9 BF BC F0 6D 9D 14 B3 29 12 D5 12 90 B8 70 73 10 4E F5 6A 84 E1 17 BB 66 1F 9A A9 A8 DF F5 F9 A5 82 15 F8 A2 09 2F 5D B7 53 03 A7 0B CF 33 45 8A 0A F6 1F 22 EE 93 DC 40 FA 2E CE 70 D1 B5 46 8B ED 1B 47 E2 31 32 04 A9 7E C4 26 03 8E 2D 77 68 CE 66 0F A4 C8 DA 60 D5 9E 64 DB A0 CE 70 67 95 DF 51 FE 6E 57 EF BA F8 18 C9 52 62 7F FE 98 FD 25 15 6E D8 8E F0 12 3F 77 28 2D 05 07 D5 EE 0C 71 B6 6B 74 91 0C 92 59 8E E7 91 B1 8B 4E 56 0B CD EC 3C 1F 93 A1 F3 F6 D1 AF 4D 54 11 87 B7 78 D1 05 4F BE 2D 2A 48 81 81 7A AF 1F A6 5F CE CC A2 F7 4B D5 0B D0 EC AA 1E A2 F5 2F 0D 7B 8D B8 83 07 D7 12 73 55 EC D1 BC 0F D0 44 CB C9 1D 8B 32 14 D4 DB 94 DE 5D 4E F3 D7 CF D0 C6 87 45 28 8C 4C C4 B2 E2 13 91 18 AC 17 5F 3E 3A 00 D7 B6 28
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      185fafbeb00cd8238fdabee088763e27012dd3a0076e04dddca6266f129f0430.exe

    • Size

      884KB

    • MD5

      034580c52732e52a382f4d550c34f09c

    • SHA1

      bd4f5d3d0ca9d9d80f001666435f5d88006e75b8

    • SHA256

      185fafbeb00cd8238fdabee088763e27012dd3a0076e04dddca6266f129f0430

    • SHA512

      300f9215a323e87d808791381bfc6e56d5fdfd8c0dcf9ceb19474e30e67557951d501da4a7a6cfdd5992450dc17bdd37144f342ab5ec9f7ec0f449e703c79074

    • SSDEEP

      12288:xroyEyv4LcKJYtcYpnOFWxLNRG2t8ruYwvs8VydFw5fawhyoUMFWcBN8gqJ:xrLv4L3YCcLNkcTMFw5fyHo

    Score
    10/10
    globeimposterdiscoveryransomware

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Globeimposter family

      globeimposter

    • Renames multiple (7048) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks