Overview

overview

10

Static

static

bomani2.exe

windows7_x64

10

bomani2.exe

windows10-2004_x64

10

Resubmissions

18-08-2022 13:44

220818-q18hrsaca7 10

30-03-2022 09:01

220330-ky21bafbdq 10

Analysis

  • max time kernel
    4294210s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    30-03-2022 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bomani2.exe

  • Size

    56KB

  • MD5

    cadf573e4ca120639a1e5484e985938d

  • SHA1

    ff0d09efbb1495982073291351a81de59e2c3c0d

  • SHA256

    7375b2047d519fffcbe1191522efbf73dcda6073a4fc9b77f01f009c437a2fe8

  • SHA512

    a8496afe762828b23f3568c49954a7c84c2390e0b2d2bb54c141fa9af2db390fd1f0a7582a006ed2b315fd074e4a2268bfdc52a1923f1a28e706000db92015ef

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\Read Me!.hTa

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mails: lord_bomani@keemail.me and jbomani@protonmail.com and Bomani@Email.Com (for the fastest possible response, write to all 3 mails at once!) Write this ID in the title of your message: ���51 43 62 36 64 E2 1A 4F 45 20 0D AD 9C F0 FC 7C E2 A0 9E 4B 4A D3 8C 9C B8 1D EC 03 78 B7 30 B3 DF 4E E5 3E 7B 75 EB 39 2D D1 56 21 7D BB F3 67 AD 0B 0B 0D 78 42 DD 5F CF 3A 24 10 FA 17 31 5A F0 5A 1F 04 93 BF C7 98 DF B0 CE 39 9A B3 B7 FA 92 BE D2 20 DC 91 7D 3A E1 B4 6F AA C0 72 8D 0A D7 84 70 90 22 1A E3 9D 35 D8 C4 A3 3B 1F CA 1F 78 14 42 42 B4 A6 E4 79 AB 05 88 C5 C5 5E 73 76 C0 41 96 27 1A 69 ED 4F 52 BF 6B C1 30 60 2E C0 CA EF 72 9C 34 FC 48 F9 8F 64 6F F7 E7 BB F9 AF DE E4 D7 B2 36 A3 BD 5C 82 DF 05 AE C4 24 D8 A8 4D 3A 02 F3 76 9B 4C 0A 3D B9 0A 96 42 B2 3C 13 5D 14 30 1D 48 38 C1 23 AA 6E 94 E7 5E 5F 46 E9 26 0C D1 22 FA 98 83 0B 4B 7E 4D AA 23 FD 0F 67 1E F4 00 5A 9D 4B 30 49 7C 37 7E 57 07 6B B1 B0 FF 4E 40 A4 65 BE E9 46 95 4D 17 DD 7B 5B 0C 5C You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. We also upload a huge amount of your personal data, including confidential information, financial information, customer personal information, passwords, and so on. Everything that we downloaded will be leaked for public use in case of non-payment or after the expiration of your key for decrypting files. Hurry up! The decryption keys for your files may be overwritten and then recovery of your files will not be possible! (this usually happens a week after encrypting your files.) ��������
Emails

lord_bomani@keemail.me

jbomani@protonmail.com

Bomani@Email.Com

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Blocklisted process makes network request 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 29 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bomani2.exe
    "C:\Users\Admin\AppData\Local\Temp\bomani2.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:1832
  • C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Desktop\Read Me!.hTa"
    1⤵
    • Blocklisted process makes network request
    • Modifies Internet Explorer settings
    • System policy modification
    PID:1716
  • C:\Program Files\7-Zip\7zG.exe
    "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap5696:76:7zEvent17021 -ad -saa -- "C:\Users\Public\Desktop\Read Me!"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1532
  • C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\Read Me!.hTa"
    1⤵
    • Blocklisted process makes network request
    • Modifies Internet Explorer settings
    PID:1100
  • C:\Program Files\7-Zip\7zG.exe
    "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap11114:74:7zEvent30880 -ad -saa -- "C:\Users\Admin\Desktop\Read Me!"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
    Filesize

    717B

    MD5

    54e9306f95f32e50ccd58af19753d929

    SHA1

    eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

    SHA256

    45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

    SHA512

    8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DC822844F8848EAB9DF5263178C0BCFF
    Filesize

    503B

    MD5

    7c14c6f6d1a21489e4cc01cd7d233bc7

    SHA1

    7bf55785ef4836e15fa465dc34a06cdc3a743d20

    SHA256

    bd4903b059d4d14fbc60e9464f9e85fe326779ea35ed6882d5dbce4e37a0dc11

    SHA512

    048189dd22f5811b9f634cbc0d117edc2aec5f5c24b9a01b724a19df9e74a2ca38bd38f5393231d40f0459f904d35e0a3d64af1f01d283970655eac0251eb819

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
    Filesize

    192B

    MD5

    2999032328b7d4c430b1c633cce883f0

    SHA1

    f776036409883153966b37290596c35ce5089ecf

    SHA256

    7010536ec5b775a8cb9d139bb8677cb165394c3cc20ff58fe261df90f08d3ce3

    SHA512

    60a3b2516038101d07856c27876fcbb746fe0f75bb2cb8c0deb2a645b3faad02a9a7146efc079aaa98d2ee4197632bf9702db2b3878deff3b9ada8ce25f98c3b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    569a76c60ced76117d76e4ee79c2df93

    SHA1

    8209b9c6062a76d99ba80c643a3f1aaac271010d

    SHA256

    69ffd2735320e7f59bbf677fd3d8fa5759497c673d4ec4b9bd2aa3326eaeadcd

    SHA512

    2e25f437201d87e03d174af94a02a9db0988a7cf68a8fcd557bf6b0382a189b696319ed3ada0ce806c2b6791f0e1f9f4545c4db3b3496881ff26fae86dc48554

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DC822844F8848EAB9DF5263178C0BCFF
    Filesize

    548B

    MD5

    6a383e390e6cef380d4e774f502d7fab

    SHA1

    bbb5d04b0110750a0b5fbd5719dc5946eeb33ca3

    SHA256

    179251fe9f104e3dd64fa1190fb048949dfe08f8c0d93fb1bdf80507f6c91176

    SHA512

    88127581edf101cf91fb26a596982a3892364e9ddda1a52be787474b7241876bab854b98d4a1cb6c440dac2ec5cbd13e84f34500791e16a1b00978ae192597ca

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GC0VJYYE\b0222[1].gif
    Filesize

    50KB

    MD5

    926d92c5744db1500c15fcdc8f9d47a3

    SHA1

    272ac3afbd17a804a91bca1cf0bb0bb03e9161d0

    SHA256

    25b6d9418d32d9289178b413da675ceee1ebaa9ec2b77febac61de066ea86bff

    SHA512

    3098fe75ddd74d6d2c37c81620fbb17d41e8f9e079b12fe4edfe71aaa8ad114658ac1f603039ba56b145dd906998ab322a6cf18a06f133b7c02a2d7b4094247d

    Download Submit
  • C:\Users\Admin\Desktop\Read Me!.hTa
    Filesize

    7KB

    MD5

    ece010d48a7d7f91dec329d390fb54b4

    SHA1

    3037bc10221e93431d6a2cdc60d25480a2fc7749

    SHA256

    f3024c61b1ba03de4eeda013ba19e4aa31473347629289003cb43e454b4ed9a6

    SHA512

    1d68d6e8fa90494043d55ce3f3ddb08cf6b4fc918ccc1ab4349e9aa2877c68bc402ba8e621eddd257e298f1a0db29c894ef2d94e082ce4c5bcd8d8c29d946fe6

    Download Submit
  • C:\Users\Public\Desktop\Read Me!.hTa
    Filesize

    7KB

    MD5

    ece010d48a7d7f91dec329d390fb54b4

    SHA1

    3037bc10221e93431d6a2cdc60d25480a2fc7749

    SHA256

    f3024c61b1ba03de4eeda013ba19e4aa31473347629289003cb43e454b4ed9a6

    SHA512

    1d68d6e8fa90494043d55ce3f3ddb08cf6b4fc918ccc1ab4349e9aa2877c68bc402ba8e621eddd257e298f1a0db29c894ef2d94e082ce4c5bcd8d8c29d946fe6

    Download Submit
  • memory/1532-57-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1832-54-0x00000000759B1000-0x00000000759B3000-memory.dmp
    Filesize

    8KB

    Download