Analysis
-
max time kernel
151s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-12-2021 01:22
General
-
Target
d24c1c9f8c5abd584f6e120c9c2e4cca.exe
-
Size
320KB
-
MD5
d24c1c9f8c5abd584f6e120c9c2e4cca
-
SHA1
77c65eff3bdbb9c3b42cc0fc3285577cd999167a
-
SHA256
38df9f7ee6504ebae134f8f446caaa0cf9f7c2c258f51023bc7eddd68e5aad12
-
SHA512
57370b7970c9bd4fa713f95a1799c8cdcb4857a4962357f1004a18b85ba8856af1273b0f9ef9aaffe54b7cb6cb8e71d60aebcd460caf789de5f9a3607e46eaea
Score
10/10
Malware Config
Extracted
Path
C:\read-me.txt
Family
globeimposter
Ransom Note
All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:
----------------------------------------------------------------------------------------
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV
| 3. Create Ticket
----------------------------------------------------------------------------------------
Note! This link is available via Tor Browser only.
------------------------------------------------------------
or
http://helpqvrg3cc5mvb3.onion/
Your ID
���61 5A 3E 9B 33 62 11 C6 04 F2 E6 8F 01 ED AA 5A
13 D1 50 23 24 11 0B 31 10 48 D7 1C 05 FE E5 E4
26 49 17 59 8B 30 75 6C 49 53 22 5D 0D DD 80 DA
D6 29 07 05 D0 A9 87 A9 35 E6 9D 9C F7 DA 7D 34
B3 63 4C D7 33 22 16 89 28 5E 8B 67 C3 B7 21 8D
C2 EC 00 84 EB 5F 77 04 87 8D 02 9F 87 D0 36 14
FC 42 1D 1B AD 0C EC F5 D7 A2 A9 75 38 B5 C9 AB
5D BA 30 23 1F B7 56 D2 2E AC 13 99 65 9A F1 B2
66 37 06 85 3F D1 43 82 5A 68 44 86 B8 17 9D 72
60 6D 8F 5F E2 64 76 22 F0 B0 0F 62 CD 21 B0 E5
C9 47 7B 5C 82 27 E5 26 83 17 D9 72 F4 D5 79 54
D8 1D F9 79 11 11 EA 70 0A 2A AC 65 D7 75 C0 F2
54 D7 4E 0C AF 3C E5 17 E5 F4 1A 80 70 21 D1 AA
81 49 6E FC 31 88 97 54 B7 62 96 15 70 B9 18 3B
65 66 6F 30 EF 1E B4 65 C3 78 C5 B3 5D 06 7A 2B
AA 96 17 FD AA 93 59 64 AE F6 0F B2 EE 9B D8 F1
URLs
http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV
http://helpqvrg3cc5mvb3.onion/
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 36 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d24c1c9f8c5abd584f6e120c9c2e4cca.exe"C:\Users\Admin\AppData\Local\Temp\d24c1c9f8c5abd584f6e120c9c2e4cca.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-67-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/756-73-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/756-72-0x0000000076911000-0x0000000076913000-memory.dmpFilesize
8KB
-
memory/756-71-0x0000000000409F20-mapping.dmp
-
memory/756-70-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/756-69-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/756-68-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/948-57-0x0000000000640000-0x000000000069E000-memory.dmpFilesize
376KB
-
memory/948-62-0x0000000000310000-0x0000000000320000-memory.dmpFilesize
64KB
-
memory/948-63-0x0000000000490000-0x000000000049C000-memory.dmpFilesize
48KB
-
memory/948-65-0x00000000007C0000-0x00000000007EB000-memory.dmpFilesize
172KB
-
memory/948-66-0x00000000005A0000-0x00000000005C3000-memory.dmpFilesize
140KB
-
memory/948-61-0x0000000000310000-0x0000000000319000-memory.dmpFilesize
36KB
-
memory/948-59-0x00000000007A0000-0x00000000007E9000-memory.dmpFilesize
292KB
-
memory/948-58-0x0000000000310000-0x000000000031D000-memory.dmpFilesize
52KB
-
memory/948-53-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/948-56-0x00000000002D0000-0x0000000000306000-memory.dmpFilesize
216KB
-
memory/948-55-0x0000000000240000-0x0000000000243000-memory.dmpFilesize
12KB
-
memory/948-54-0x0000000002370000-0x0000000002371000-memory.dmpFilesize
4KB