Overview

overview

10

Static

static

8b6af2ac39...e3.exe

windows7_x64

10

8b6af2ac39...e3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    187s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    11-02-2022 06:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b6af2ac39a80dd70e0b7825e116802c9811129eb0a071c086e0440d6afef7e3.exe

  • Size

    53KB

  • MD5

    219c8cf5fce1e0c1fc606f10c685507c

  • SHA1

    e3ff139b04465febb88e3831eba90249c5ca22a9

  • SHA256

    8b6af2ac39a80dd70e0b7825e116802c9811129eb0a071c086e0440d6afef7e3

  • SHA512

    6802a1364da38f5dab8b803b5bbf27c1985b7d5f19e8f840f9215b13155df69962d6ade0ae9a0bf9fc89368bc84a7a9dcc12b771554e20bf3907af1988af6262

Score
10/10
globeimposterpersistenceransomware

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������84 E8 6D D2 B9 E1 31 3D 05 05 B5 58 61 90 0F A1 9A A6 E9 CF F6 53 1A DC 70 B7 D1 82 83 6C CB A3 63 BB 27 5A A8 8C C7 72 B5 64 FD 22 65 C7 D6 08 46 77 21 91 80 12 4C 6A AF BE 0F ED 10 45 BB 6B F8 06 13 CD FD 22 71 91 9D 75 FE 99 A1 EB AF 23 99 14 BA 37 3D AD 0B 53 A7 4F B6 85 79 D2 42 52 FA 5C F8 40 D5 03 38 5B EA 3A 23 A8 62 D4 53 2C DD E9 C3 FC 2B 33 B3 53 CD CB F8 88 CD 29 C2 69 F5 FB 74 33 8E 44 32 45 B7 1A 26 FA 1F 36 96 9C B9 6B B9 88 42 3A 96 C8 6A DE EE BF 60 1D 59 65 40 63 AF B9 E0 34 C7 D3 25 D8 0C DE C9 19 26 8B 84 6D 5D 09 F4 E6 11 92 2D 49 46 46 D1 05 12 A8 0D B8 58 2A 2D 55 F2 B3 49 CA 97 CC BC 9E 0D C4 E6 2C D2 F5 CC 88 67 3A FA 2D 98 F7 5D 81 B6 59 3D C1 96 43 CC AD DA D4 06 D1 4F 75 91 A1 35 49 FE 02 4C 24 83 94 8B 06 A2 3A DF 65 9C F3 BC 75 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br><a href="[email protected]">[email protected]</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> �������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 22 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b6af2ac39a80dd70e0b7825e116802c9811129eb0a071c086e0440d6afef7e3.exe
    "C:\Users\Admin\AppData\Local\Temp\8b6af2ac39a80dd70e0b7825e116802c9811129eb0a071c086e0440d6afef7e3.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:2448
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3112
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3048
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3048 -s 4708
      2⤵
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:4132
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    1⤵
    • Modifies data under HKEY_USERS
    PID:3120
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    1⤵
      PID:1692
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 408 -p 3048 -ip 3048
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:3640
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4512
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4588
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4588 -s 3848
        2⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        PID:4884
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 536 -p 4588 -ip 4588
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:4836

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3112-130-0x0000029B9B720000-0x0000029B9B730000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3112-131-0x0000029B9B780000-0x0000029B9B790000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3112-132-0x0000029B9DE30000-0x0000029B9DE34000-memory.dmp

      Filesize

      16KB

      Download

    • memory/3120-135-0x00000205CF2E0000-0x00000205CF2E4000-memory.dmp

      Filesize

      16KB

      Download