Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    06-01-2022 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486.exe

  • Size

    360KB

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���6C 83 B2 94 B9 F0 60 BE 49 C9 E8 F0 B7 C9 24 6D 4A A1 E8 85 67 28 CB 08 42 4E 31 B6 65 0E 4A 21 21 77 82 12 2C A4 52 B0 F6 D7 19 10 64 89 17 C7 1B 38 86 3C C1 D6 E1 F8 9C EA E4 FC ED B0 CC 34 40 E6 B5 B0 C0 F9 66 81 13 75 3D 1B A1 92 87 43 5E DF DC 4A 48 E6 4F 6E A8 BF 57 23 E0 06 22 E6 2A 2B AB 11 37 77 78 72 76 96 52 7E 97 4E A0 86 A0 1F E2 D0 81 DA C3 DB 4D BE 15 31 75 F7 21 12 CC A6 51 EB 33 1F 86 A9 8A 44 60 53 9D B4 25 08 DC 9B 25 D8 1D 98 7D A9 FF 7C 50 94 0D DA A9 3F EB AF 1F 81 5B CD B5 9F 70 71 35 83 64 23 98 D6 3F 4C 20 CF 90 D5 E1 D1 3F 2E 68 69 3D 8C 31 03 44 F8 97 79 21 04 D0 D4 B2 7E 3C EF F7 04 3C C4 51 E4 6D BF 76 A1 A0 D0 36 78 48 19 F5 50 2D 5B DA 16 0A E8 E1 B4 21 7E 86 CE E2 49 6D 45 1E 66 1B F5 04 96 DD F5 49 53 49 74 99 23 F6 C9 41 10
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 27 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486.exe
    "C:\Users\Admin\AppData\Local\Temp\59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7AC9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1184
    • C:\Users\Admin\AppData\Local\Temp\59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486.exe
      "{path}"
      2⤵
        PID:1548
      • C:\Users\Admin\AppData\Local\Temp\59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486.exe
        "{path}"
        2⤵
        • Modifies extensions of user files
        • Drops desktop.ini file(s)
        • Drops file in Program Files directory
        PID:1800

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1296-119-0x0000000005620000-0x00000000056B2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1296-125-0x000000000B7A0000-0x000000000B7B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1296-120-0x0000000005580000-0x0000000005A7E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/1296-121-0x00000000054C0000-0x00000000054CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1296-122-0x00000000056C0000-0x0000000005716000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1296-123-0x0000000008B80000-0x0000000008B8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1296-124-0x0000000008FC0000-0x0000000009026000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1296-115-0x0000000000B20000-0x0000000000B80000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1296-118-0x0000000005A80000-0x0000000005F7E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/1296-117-0x00000000054E0000-0x000000000557C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1296-116-0x0000000000B20000-0x0000000000B80000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1800-130-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1800-128-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download