Analysis

  • max time kernel
    151s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    11-12-2021 01:22

General

  • Target

    d24c1c9f8c5abd584f6e120c9c2e4cca.exe

  • Size

    320KB

  • MD5

    d24c1c9f8c5abd584f6e120c9c2e4cca

  • SHA1

    77c65eff3bdbb9c3b42cc0fc3285577cd999167a

  • SHA256

    38df9f7ee6504ebae134f8f446caaa0cf9f7c2c258f51023bc7eddd68e5aad12

  • SHA512

    57370b7970c9bd4fa713f95a1799c8cdcb4857a4962357f1004a18b85ba8856af1273b0f9ef9aaffe54b7cb6cb8e71d60aebcd460caf789de5f9a3607e46eaea

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���61 5A 3E 9B 33 62 11 C6 04 F2 E6 8F 01 ED AA 5A 13 D1 50 23 24 11 0B 31 10 48 D7 1C 05 FE E5 E4 26 49 17 59 8B 30 75 6C 49 53 22 5D 0D DD 80 DA D6 29 07 05 D0 A9 87 A9 35 E6 9D 9C F7 DA 7D 34 B3 63 4C D7 33 22 16 89 28 5E 8B 67 C3 B7 21 8D C2 EC 00 84 EB 5F 77 04 87 8D 02 9F 87 D0 36 14 FC 42 1D 1B AD 0C EC F5 D7 A2 A9 75 38 B5 C9 AB 5D BA 30 23 1F B7 56 D2 2E AC 13 99 65 9A F1 B2 66 37 06 85 3F D1 43 82 5A 68 44 86 B8 17 9D 72 60 6D 8F 5F E2 64 76 22 F0 B0 0F 62 CD 21 B0 E5 C9 47 7B 5C 82 27 E5 26 83 17 D9 72 F4 D5 79 54 D8 1D F9 79 11 11 EA 70 0A 2A AC 65 D7 75 C0 F2 54 D7 4E 0C AF 3C E5 17 E5 F4 1A 80 70 21 D1 AA 81 49 6E FC 31 88 97 54 B7 62 96 15 70 B9 18 3B 65 66 6F 30 EF 1E B4 65 C3 78 C5 B3 5D 06 7A 2B AA 96 17 FD AA 93 59 64 AE F6 0F B2 EE 9B D8 F1
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 36 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d24c1c9f8c5abd584f6e120c9c2e4cca.exe
    "C:\Users\Admin\AppData\Local\Temp\d24c1c9f8c5abd584f6e120c9c2e4cca.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
      2⤵
        PID:956
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
        2⤵
        • Modifies extensions of user files
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Drops file in Program Files directory
        • Suspicious behavior: RenamesItself
        PID:756

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/756-67-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

    • memory/756-73-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

    • memory/756-72-0x0000000076911000-0x0000000076913000-memory.dmp

      Filesize

      8KB

    • memory/756-70-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

    • memory/756-69-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

    • memory/756-68-0x0000000000400000-0x000000000040F000-memory.dmp

      Filesize

      60KB

    • memory/948-57-0x0000000000640000-0x000000000069E000-memory.dmp

      Filesize

      376KB

    • memory/948-62-0x0000000000310000-0x0000000000320000-memory.dmp

      Filesize

      64KB

    • memory/948-63-0x0000000000490000-0x000000000049C000-memory.dmp

      Filesize

      48KB

    • memory/948-65-0x00000000007C0000-0x00000000007EB000-memory.dmp

      Filesize

      172KB

    • memory/948-66-0x00000000005A0000-0x00000000005C3000-memory.dmp

      Filesize

      140KB

    • memory/948-61-0x0000000000310000-0x0000000000319000-memory.dmp

      Filesize

      36KB

    • memory/948-59-0x00000000007A0000-0x00000000007E9000-memory.dmp

      Filesize

      292KB

    • memory/948-58-0x0000000000310000-0x000000000031D000-memory.dmp

      Filesize

      52KB

    • memory/948-53-0x0000000000270000-0x0000000000271000-memory.dmp

      Filesize

      4KB

    • memory/948-56-0x00000000002D0000-0x0000000000306000-memory.dmp

      Filesize

      216KB

    • memory/948-55-0x0000000000240000-0x0000000000243000-memory.dmp

      Filesize

      12KB

    • memory/948-54-0x0000000002370000-0x0000000002371000-memory.dmp

      Filesize

      4KB