Overview

overview

10

Static

static

2c72015e22...26.exe

windows7_x64

10

2c72015e22...26.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-12-2021 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c72015e22b53c215403979536bce826.exe

  • Size

    454KB

  • MD5

    2c72015e22b53c215403979536bce826

  • SHA1

    39eb8e3c2cef23d1c7a3f5c3133f40ecc98c1cf1

  • SHA256

    36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd

  • SHA512

    0d2e590b0c32de661ab94c0f7a0eccbbc2bac637120b0148e04b05a826ca5858e6d147e0011bd5094f260e5ff0d3dafbf9bc2c4df099adc3ac5c98d50b6df4b1

Score
10/10
globeimposterpersistenceransomware

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���AD 41 C1 E9 73 A5 7D 4B EB 25 4D 53 FF 74 0F C1 E7 01 08 32 6C 80 91 D2 45 65 09 84 29 4A 4B 63 06 A4 9F 89 26 EA F0 75 43 E4 8A 69 7F 8C 9E 56 66 EA 4C 31 26 00 08 86 6D 32 9C 89 35 C9 04 08 28 46 65 C0 30 63 A7 88 B9 C9 9E 1E 86 89 57 E8 0A CF 80 55 40 1E F5 FD 93 23 B6 7D A4 FE B9 1C 84 73 A7 85 80 E9 21 E9 C0 01 E7 9C F6 E2 AA E3 A8 EF 7A 18 A2 14 EC B1 AE CF 7A CC 81 C4 04 6A CB 1D 66 54 41 FC AE 3F 4A 89 49 5D 4E 15 0F 17 DB 5A E6 6B 80 F6 2E 47 E7 9B 31 A7 99 11 48 60 B2 45 6C A8 3E DB BA 82 B5 23 66 4F F7 FB 9F 46 F2 9D 46 91 67 5D 76 5E 05 01 D0 90 5C 3C 33 69 7E 84 B1 95 E2 D3 63 76 C0 FA C6 A6 48 EC AB DB CD BC 0A 99 B7 8A 16 D1 CB 6C D6 BF CC C9 37 43 91 A0 8D 68 3E D4 DD 9D 9B CA 3A EB 41 04 53 84 EF 38 A3 4B 2C A7 6E 4D 76 0C F8 3E 1C 07 CD DD
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 36 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c72015e22b53c215403979536bce826.exe
    "C:\Users\Admin\AppData\Local\Temp\2c72015e22b53c215403979536bce826.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: RenamesItself
      PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/584-61-0x0000000000400000-0x000000000040F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/584-67-0x0000000000400000-0x000000000040F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/584-66-0x0000000076C61000-0x0000000076C63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/584-65-0x0000000000409F20-mapping.dmp
    Download
  • memory/584-64-0x0000000000400000-0x000000000040F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/584-63-0x0000000000400000-0x000000000040F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/584-62-0x0000000000400000-0x000000000040F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1684-57-0x0000000004E80000-0x0000000004E81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-60-0x0000000000270000-0x0000000000293000-memory.dmp
    Filesize

    140KB

    Download
  • memory/1684-59-0x0000000000270000-0x000000000027D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1684-58-0x0000000000CA0000-0x0000000000D20000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1684-54-0x00000000012B0000-0x00000000012B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1684-56-0x0000000000460000-0x0000000000498000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1684-55-0x0000000000200000-0x0000000000203000-memory.dmp
    Filesize

    12KB

    Download