Overview

overview

10

Static

static

3a85022db4...f9.exe

windows7_x64

10

3a85022db4...f9.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    179s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    11-02-2022 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a85022db4d1b6e43bbfcb4048ef5b9038eb6a09ce8870516539825a88aa27f9.exe

  • Size

    51KB

  • MD5

    8c9419abb792b2a6d5220533fb221218

  • SHA1

    34cf072cec588286ce5e13baf350239ead5ace8e

  • SHA256

    3a85022db4d1b6e43bbfcb4048ef5b9038eb6a09ce8870516539825a88aa27f9

  • SHA512

    3c44fcf8c91f7ef4059e3caebb31d309dec7bb3d8556079f495ccf308cb3f9e588aa1c8f8c705ce92cdf87a2bbc71ab256634950dcbba49474e2a6942e3a9a00

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\READ THIS.TXT

Ransom Note
Your personal ID : ����������54 15 BA 81 E6 B2 8B 11 14 05 3C 50 4A 82 59 EB 91 67 0C B0 95 86 9E FC 47 D4 00 BB 79 A6 80 A7 4C AA DC 27 F8 5F 32 89 EC B7 9A 64 AC D6 08 51 D5 F7 A0 7A 57 AB 74 6A FB 80 45 6A 20 B2 35 91 1D 8B 93 38 72 AF F0 BB 2D 29 1B 3D DF AD 24 52 0C 9B 99 8B A3 4E 11 D5 06 93 7D 28 88 C0 EC 08 20 0D E2 38 E8 83 14 7B 36 F4 11 87 03 6B A2 A1 A8 39 81 08 33 64 A6 E9 9D B4 83 5A 62 9C EB B7 EA 0A E1 49 21 C1 AC 7D 13 D6 76 F6 12 E9 0A F2 29 EB 68 87 4B A3 7E 04 BF CE C5 91 C0 C9 D7 2F 9C D4 09 96 CD AE BF A8 F3 D9 AF BF AF 6E 4A 5A F1 05 5C 0B 0A 59 22 8C 1F 64 29 EE 4C 90 AC 1F 67 99 13 8F 8A D2 21 57 06 97 8A 8B 87 67 9F 87 90 94 D3 EF 36 6B 37 6E 6E F8 F8 BB 21 50 94 A1 DB 06 71 94 B3 D6 C5 94 F1 BA 6D 3D 02 61 11 0A F4 16 42 AF 3F 51 B8 38 97 61 2A E3 60 47 75 6E * No data from your computer has been stolen or deleted. * Follow the instructions to restore the files. * How to get the automatic decryptor: 1)Contact us by e-mail: [email protected] . In the letter, indicate your personal identifier (look at the beginning of this document) and the external ip-address of the computer on which the encrypted files are located. 2)After answering your request, our operator will give you further instructions that will show what to do next (the answer you will receive as soon as possible) **Send a copy of the letter to Second email address : [email protected] * Free decryption as guarantee! Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 5 Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). ATTENTION !!! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * If you do not receive a reply within 6 hours, create an account on Gmail.com and try again. or just check your email spam.���������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 23 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a85022db4d1b6e43bbfcb4048ef5b9038eb6a09ce8870516539825a88aa27f9.exe
    "C:\Users\Admin\AppData\Local\Temp\3a85022db4d1b6e43bbfcb4048ef5b9038eb6a09ce8870516539825a88aa27f9.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:480
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4964
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3280
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    1⤵
    • Modifies data under HKEY_USERS
    PID:3024
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    1⤵
      PID:1380
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1744

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3024-142-0x00000167A1420000-0x00000167A1424000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4964-130-0x000001BCBC390000-0x000001BCBC3A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4964-131-0x000001BCBC920000-0x000001BCBC930000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4964-132-0x000001BCBF010000-0x000001BCBF014000-memory.dmp

      Filesize

      16KB

      Download