Overview

overview

10

Static

static

1114.exe

windows7_x64

10

1114.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    28-02-2022 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1114.exe

  • Size

    50KB

  • MD5

    fc9ca0a85e47088d25483dd47fba3244

  • SHA1

    fed2e7f2818daf55a463520ec21f337fc8679246

  • SHA256

    e8e6365ddaf5b0a40250eaab09bc61904ad5818c835ae2555c36ddc380c70ece

  • SHA512

    a4f8f0004cbcef618f5bad7ab26b83617f5107a176c68cbae6497e7acf4a36d7f690a1c9ab459d68d2d4b3153de2939857dee4ea8706d107294fcdfb67f2127c

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read_me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://yip.su/2QstD5 Your ID �������������51 C4 6A B4 E5 85 15 83 B0 73 D9 08 46 27 D0 C4 54 3C 2B B8 B6 07 1C B4 90 86 4C D8 8F 72 C2 A3 1F 93 F4 EE C4 EC 39 9E EB 70 9D 5D 6B FC F9 B4 42 42 44 59 25 89 0D E4 92 B9 6D 85 62 42 C8 73 D2 C0 50 D8 E9 B7 6D 78 DE 48 95 BE C2 05 AC D0 66 71 37 35 A8 27 57 97 A9 66 C8 A9 BE 2C A9 10 9B 84 5A 52 79 F9 F6 A9 2C 0D 10 A0 B4 E0 F1 6E 98 4E 1A 17 BB 50 ED 20 27 CD 54 A0 F6 82 08 FB 27 8A 29 FF 13 86 21 0B 11 DE 09 D0 E6 0D C7 FB 4B 03 FF 9B E0 DB 41 9A 10 06 B5 DF 15 E5 43 0B E1 97 C0 3E 55 AE A3 07 A5 91 76 7F CC 04 6E 5D 55 08 70 C8 97 5E 10 C3 11 29 11 78 77 72 57 81 D3 5E E2 28 6A BA 0B 84 00 5B 78 A1 16 C2 D0 C0 6B 3C 75 CA 0E F4 04 E9 39 E4 4C 80 B8 33 73 48 85 E5 0D 6C 36 7A 14 84 BF 69 F2 8E A6 DC 56 EB F3 A0 8B A4 46 93 F6 E9 F3 0C 77 E1 72 65 28 0E
URLs

http://mrv44idagzu47oktcipn6tlll6nzapi6pk3u7ehsucl4hpxon45dl4yd.onion/?ST4HYJUHGFV

http://yip.su/2QstD5

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 27 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1114.exe
    "C:\Users\Admin\AppData\Local\Temp\1114.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:3952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads