Overview

overview

10

Static

static

473c84be63...ca.exe

windows7_x64

10

473c84be63...ca.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    177s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    11-02-2022 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    473c84be63ce9a6b112ff11480cd743dbfc945dadf9deb0fa513c0d98e0020ca.exe

  • Size

    50KB

  • MD5

    de449996d6ecc5803a04ed8cc823a25c

  • SHA1

    12d0e0ceb0b7cfbc47bdc85d5dc5fc6f552981c9

  • SHA256

    473c84be63ce9a6b112ff11480cd743dbfc945dadf9deb0fa513c0d98e0020ca

  • SHA512

    a4ea1bf400c7c7a88930f5b3d1049a450d2cc0d7626fed6c7b8f4fbaf1e4fcbb248b6740e217cffc358bfaadaa324d25819017636d065bab68c56fba186e055b

Score
10/10
globeimposterpersistenceransomware

Malware Config

Extracted

Path

C:\HOW_TO_BACK_FILES.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. DO NOT TRY TO DO SOMETHING WITH YOUR FILES BY YOURSELF YOU WILL BRAKE YOUR DATA !!! ONLY WE ARE CAN HELP YOU! CONTACT US: [email protected] [email protected] ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: ��������D4 B0 48 B6 C8 4D 35 7B F1 9A 7E 18 92 26 0A AA 14 DB 59 9F CD 7F 66 4C 60 69 65 B8 38 D6 81 E3 24 20 06 AA F6 5F C4 E4 4D 70 66 2F 17 2A 0C 89 8F 5A 0F 21 89 CC 26 D9 71 B0 3F 2D 91 EB FC 6F AE 7D 89 0D 08 25 C1 EE BB 76 A3 29 95 A4 5A 08 5F 8E 17 BC 56 50 E0 94 EF 36 DF 38 71 07 AB 8F C4 6D 8E 57 0F 8D 91 C3 F3 5B FC B0 35 C3 5D EA 83 1C 71 11 9D F9 38 42 91 A6 98 28 9D 1D 4B 33 54 53 DE 8A 8C 20 52 00 66 54 47 51 4F E5 04 8E 40 02 70 99 AF 67 A0 13 87 3D C8 ED A3 4F 00 68 9D 21 39 8A 35 74 C6 6C 72 DA 1F 50 0E AA DF F9 DF 17 B3 AF 7C 20 9A C3 F9 D7 FF F3 83 D0 06 1F 28 1C FC 84 64 88 05 10 F2 EF 7D A2 62 9D C8 EB B4 28 04 B7 38 E5 1E 47 C0 C3 9F F4 11 21 AE D3 40 C8 8B D0 D5 13 4E 3A 17 A4 03 32 80 90 34 82 96 0F 2D 34 E4 2E 9E 39 78 CB 96 FE EB DA 0D AB ������������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 21 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 55 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\473c84be63ce9a6b112ff11480cd743dbfc945dadf9deb0fa513c0d98e0020ca.exe
    "C:\Users\Admin\AppData\Local\Temp\473c84be63ce9a6b112ff11480cd743dbfc945dadf9deb0fa513c0d98e0020ca.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:4788
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3692
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4324
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2756
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    1⤵
    • Modifies data under HKEY_USERS
    PID:1168
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    1⤵
      PID:4900
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:684
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 452 -p 684 -ip 684
      1⤵
        PID:1888

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1168-143-0x0000022F7FE60000-0x0000022F7FE64000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3692-131-0x00000194DC390000-0x00000194DC3A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3692-132-0x00000194DCC70000-0x00000194DCC80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3692-133-0x00000194DF360000-0x00000194DF364000-memory.dmp

        Filesize

        16KB

        Download