Overview

overview

10

Static

static

2f121145ea...0a.exe

windows7_x64

10

2f121145ea...0a.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    06-01-2022 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f121145ea11b36f9ade0cb8f319e40a.exe

  • Size

    360KB

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���37 1C 0E 7A 73 9E A2 7C 64 9B B5 DC DA 25 37 08 A8 37 79 00 D8 10 42 49 15 A8 59 89 B3 D3 A0 BA EB 89 88 F3 48 67 F4 9D 6D E1 F7 CF 30 35 C0 95 C4 31 F9 D1 36 73 F9 62 EB 6B 30 F2 53 01 EC 33 24 A1 C2 E9 BF E8 6F A3 EF EE F3 3C 98 0F AC F0 96 F2 D4 49 54 9C 9A 1B 6E FE B7 5C EB F5 BD D3 5F 03 C7 5A 48 95 18 32 54 8D 44 18 03 A9 29 F0 25 F8 A9 5D A6 C6 F5 8C CA 0F 1B A4 82 4D 0F B5 A4 A3 59 06 95 79 AA 12 03 A5 6E 09 1E 0A 0A 0A DF BE 87 8A 87 8F F0 05 70 15 83 6B 43 87 FF 95 E3 AA 74 F1 A6 55 AA 95 99 53 CE 71 4F 14 75 D1 85 1A FF 8B F7 21 65 58 3C 28 58 4F 86 46 DF 3F C5 A3 99 CC 9C FB B6 DD 5B BA 20 93 59 6A 0D C4 44 BA FF 82 6C 33 FB 38 22 D1 3E 93 E6 90 BB AF 33 42 07 19 08 E7 12 3D 5E 48 AE 34 F2 EE 10 A8 E8 FA 45 AA 5A 0B 9A 66 8C 2F 88 F2 DD 20 F9 2A
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 26 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f121145ea11b36f9ade0cb8f319e40a.exe
    "C:\Users\Admin\AppData\Local\Temp\2f121145ea11b36f9ade0cb8f319e40a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp10F4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3692
    • C:\Users\Admin\AppData\Local\Temp\2f121145ea11b36f9ade0cb8f319e40a.exe
      "{path}"
      2⤵
      • Modifies extensions of user files
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      PID:2812

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2444-119-0x0000000004C10000-0x0000000004CA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2444-124-0x0000000006880000-0x00000000068E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2444-115-0x0000000000120000-0x0000000000180000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2444-120-0x0000000004B70000-0x0000000004B7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2444-121-0x0000000004D90000-0x0000000004DE6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2444-122-0x0000000004B70000-0x000000000506E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2444-123-0x0000000008080000-0x000000000808A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2444-118-0x0000000005070000-0x000000000556E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2444-125-0x0000000006940000-0x0000000006952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2444-116-0x0000000000120000-0x0000000000180000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2444-117-0x0000000004AD0000-0x0000000004B6C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2812-128-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2812-130-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download