Overview

overview

10

Static

static

2f121145ea...0a.exe

windows7_x64

10

2f121145ea...0a.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06-01-2022 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f121145ea11b36f9ade0cb8f319e40a.exe

  • Size

    360KB

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���BC 55 E2 0E FE 38 EC A6 D4 A4 BC 58 2A D7 CB E1 A5 FA EA 7F 0C 44 27 2E AD DC 1A F3 08 A4 F6 AE FD 61 A0 4A 8C 19 76 53 FA 1C 70 BB 51 4D 64 75 28 2F 5F CE 84 6A D4 09 24 18 03 00 2D 1E 01 5F 9F 61 10 7B 98 15 D1 63 67 13 51 FD E3 85 E3 33 1D A0 93 94 FC 09 EE E1 98 B3 82 7D BE CA EA 6B 05 56 42 63 C6 FA 48 7A 9A 03 E4 35 67 5D 39 C9 3C 2C 6C BE FB 37 E2 AA 29 8C 56 3D 9B 3C F0 43 B7 5E 0A 6D 8C BB 1F 67 CC CF AC 35 30 7A 9C FE 12 41 A0 9E 57 E0 0B D0 C7 0B 58 14 3C A2 3F D3 94 B1 30 33 C0 34 15 CD 4F AC A2 39 90 19 97 36 A7 D8 8C 92 78 BE 4A E8 D2 9C 19 A1 8F 3D EA 23 D9 D6 B5 A5 8B 60 FF 70 72 A5 E1 32 1B 55 72 B3 86 1A 91 F7 DF C9 80 56 8B 7B DE C6 90 A8 6E 5A 1D 6E 28 96 C5 04 DA 85 2A 97 58 B7 42 FD E7 3B 4E A6 17 9F CE AF 3B 7D 87 B2 E3 01 44 6E 42 28
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 29 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f121145ea11b36f9ade0cb8f319e40a.exe
    "C:\Users\Admin\AppData\Local\Temp\2f121145ea11b36f9ade0cb8f319e40a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3006.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:852
    • C:\Users\Admin\AppData\Local\Temp\2f121145ea11b36f9ade0cb8f319e40a.exe
      "{path}"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      PID:1760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/792-60-0x0000000000B50000-0x0000000000B62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/792-57-0x0000000000B10000-0x0000000000B11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/792-58-0x0000000000460000-0x000000000046A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/792-59-0x0000000004A50000-0x0000000004AB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/792-54-0x0000000001110000-0x0000000001170000-memory.dmp

    Filesize

    384KB

    Download

  • memory/792-56-0x0000000075D11000-0x0000000075D13000-memory.dmp

    Filesize

    8KB

    Download

  • memory/792-55-0x0000000001110000-0x0000000001170000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1760-63-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1760-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1760-65-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1760-68-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download