Analysis
-
max time kernel
188s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
11-02-2022 06:29
Static task
static1
Behavioral task
behavioral1
Sample
d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe
Resource
win10v2004-en-20220113
General
-
Target
d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe
-
Size
55KB
-
MD5
23b44cb7a0d570fa54e4dcf7788a72bd
-
SHA1
fb6a014753ab7315d17bbfcc724df65fdffd3b0f
-
SHA256
d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519
-
SHA512
535ec0818f0c43845cdf43f8d7c01267d918ce98d0677c625b4508b275a7ffcc13275cb1e8713a34aa14142c31e1a283df2ea62484573c8c120975f5e3204f0a
Malware Config
Extracted
C:\how_to_back_files.html
http://bitmsg.me
https://www.buybitcoinworldwide.com/united-states/
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\BlockRedo.raw => C:\Users\Admin\Pictures\BlockRedo.raw.crypt d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File renamed C:\Users\Admin\Pictures\ClearSuspend.tif => C:\Users\Admin\Pictures\ClearSuspend.tif.crypt d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File renamed C:\Users\Admin\Pictures\DenyConnect.tif => C:\Users\Admin\Pictures\DenyConnect.tif.crypt d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe" d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe -
Drops desktop.ini file(s) 13 IoCs
description ioc Process File opened for modification C:\Users\Public\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Public\Downloads\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Public\Documents\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Public\Desktop\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Admin\Searches\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Public\Videos\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Public\Pictures\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Public\Music\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Public\Libraries\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Admin\Videos\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeShutdownPrivilege 4376 svchost.exe Token: SeCreatePagefilePrivilege 4376 svchost.exe Token: SeShutdownPrivilege 4376 svchost.exe Token: SeCreatePagefilePrivilege 4376 svchost.exe Token: SeShutdownPrivilege 4376 svchost.exe Token: SeCreatePagefilePrivilege 4376 svchost.exe Token: SeSecurityPrivilege 1360 TiWorker.exe Token: SeRestorePrivilege 1360 TiWorker.exe Token: SeBackupPrivilege 1360 TiWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe"C:\Users\Admin\AppData\Local\Temp\d76e5c1a96fb92f491ec9ca06be45623d43567903dc2f0f75e74b092280d1519.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
PID:4308
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1360