Overview

overview

10

Static

static

bomani2.exe

windows7_x64

10

bomani2.exe

windows10-2004_x64

10

Resubmissions

18-08-2022 13:44

220818-q18hrsaca7 10

30-03-2022 09:01

220330-ky21bafbdq 10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    30-03-2022 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bomani2.exe

  • Size

    56KB

  • MD5

    cadf573e4ca120639a1e5484e985938d

  • SHA1

    ff0d09efbb1495982073291351a81de59e2c3c0d

  • SHA256

    7375b2047d519fffcbe1191522efbf73dcda6073a4fc9b77f01f009c437a2fe8

  • SHA512

    a8496afe762828b23f3568c49954a7c84c2390e0b2d2bb54c141fa9af2db390fd1f0a7582a006ed2b315fd074e4a2268bfdc52a1923f1a28e706000db92015ef

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Read Me!.hTa

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mails: [email protected] and [email protected] and [email protected] (for the fastest possible response, write to all 3 mails at once!) Write this ID in the title of your message: ���86 FA EE F8 BB CF 9F 2C 82 69 2C 41 1A 9D DF CD 0C F2 F7 EC A6 CB 19 5B 6F 97 F4 DE EC C2 2A 4A 02 83 10 CE 81 85 D5 3B 11 D6 7A 1E F5 B0 87 69 2A 3E 26 52 7D 33 41 F2 3A 20 DA 05 5B 14 DE 89 C2 88 36 71 97 EF B2 7A 6C 08 03 E0 05 01 58 E0 84 C2 E1 34 93 65 B6 0D 4B 7D D7 32 E9 F5 3F 77 33 51 AB FF 5A 03 68 80 47 20 5F 39 D8 B5 69 20 ED 30 64 D3 0A D9 0E F7 DD 47 D2 06 0C 30 B0 CA 03 0A 26 56 18 53 9F A9 47 EB 9E 6D 80 FB F8 0D EB 89 CD C0 8B C7 96 77 66 24 EB E1 C8 A1 46 71 AD F1 28 D7 B3 6E E2 A4 5A 69 AA 49 85 0D CC 87 F7 DD 39 7D 55 D0 AB 58 27 2A 60 94 75 19 C7 BB 5A 03 56 C2 69 FE C3 B3 5B A3 86 E4 6D 8B 05 FC 51 1C 1B 01 06 BB 91 DC EB B6 83 02 B0 7E 7A 3E 00 58 9F 42 D4 A9 17 C4 61 B9 06 86 BB 29 91 D8 5B A6 25 86 72 76 96 A9 3C 08 26 6D FE 77 89 6B You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 5Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. We also upload a huge amount of your personal data, including confidential information, financial information, customer personal information, passwords, and so on. Everything that we downloaded will be leaked for public use in case of non-payment or after the expiration of your key for decrypting files. Hurry up! The decryption keys for your files may be overwritten and then recovery of your files will not be possible! (this usually happens a week after encrypting your files.) ��������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Blocklisted process makes network request 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 25 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Modifies registry class 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bomani2.exe
    "C:\Users\Admin\AppData\Local\Temp\bomani2.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:2344
  • C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\Read Me!.hTa" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Blocklisted process makes network request
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:1736
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    1⤵
      PID:1132
    • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
      "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2436
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\b0222.gif
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3712
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\b0222.gif
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3260
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3260 CREDAT:17410 /prefetch:2
        2⤵
        • Sets desktop wallpaper using registry
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3824

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{54A1E4F5-B008-11EC-B9A4-E620F3DF43A3}.dat
      Filesize

      5KB

      MD5

      c8ac84facaa039090407723593410f1e

      SHA1

      d7f76f7095a6d35ffd4da4878204a02080d08d3b

      SHA256

      b64bc3925b8a36cf4c0a03fcee341e433e303d11a8d689e6fa371040d594cafe

      SHA512

      69483f4dbe4e2f4b35d3fcc26abfee62ccfefc61863e73d3576b970df61ff3d25d0aa798a5f7f017942eb2bfe4f3a3d384c693862683e598aef25b1d44784219

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{04D6A65B-7467-11EC-B99B-7EE208A7DFD1}.dat
      Filesize

      5KB

      MD5

      851119e1952d7f854ba78717be1e6911

      SHA1

      b86110faea04a25631e4f6e5e950a5c765f55919

      SHA256

      a0f78ed7a35359ed50d2b863c6e22bc1444341c8b992338c68ab17be1fa3bcab

      SHA512

      0e8b73b5963aa9bba8afcd271d66bb50377a674d7f94e303b2ce64e194a0ee819dca496e4cb2ea70d6ac8932977db09b27093ea26b1d0fd60b5c387765de3367

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{54A1E4F8-B008-11EC-B9A4-E620F3DF43A3}.dat
      Filesize

      4KB

      MD5

      485ebea97b7a356706305a0156ca909d

      SHA1

      44601040f12a54b5e75f30586c4afd52b2c03f27

      SHA256

      a53895c7446104941547907bc87968e9d221d5a6d9fd14555090a19a6e986c13

      SHA512

      8d0609ac511966d0548c1cd721d55e7ad18057d30e913f74bcf6cf47c970fe85e0589a0a4495b54807a67a04440595db5ba6cb84ec641bbc26a1bfc67a08aacf

      Download Submit

    • C:\Users\Admin\Desktop\Read Me!.hTa
      Filesize

      7KB

      MD5

      b9856ca79007c0533747ab13032dc915

      SHA1

      16edfbbda5c7d87285092064adf5f2979a7275e8

      SHA256

      d746d756d3ca002563d3279ce9066c3b237cea73890fc3aefc7d7fdeab66f6e1

      SHA512

      58a003e02f85474d4a5b1f3cf6796f1df7941e37a8bde7511b88fc6bd97458acbebf19ad99bc2d0c47c7f4e3ea0f80a99bbad74052e8b92ab9d2ffe949f5871f

      Download Submit

    • C:\Users\Admin\Desktop\b0222.gif
      Filesize

      50KB

      MD5

      926d92c5744db1500c15fcdc8f9d47a3

      SHA1

      272ac3afbd17a804a91bca1cf0bb0bb03e9161d0

      SHA256

      25b6d9418d32d9289178b413da675ceee1ebaa9ec2b77febac61de066ea86bff

      SHA512

      3098fe75ddd74d6d2c37c81620fbb17d41e8f9e079b12fe4edfe71aaa8ad114658ac1f603039ba56b145dd906998ab322a6cf18a06f133b7c02a2d7b4094247d

      Download Submit

    • C:\Users\Admin\Favorites\Bing.url.[[email protected]]
      Filesize

      1KB

      MD5

      7d18e42a0900278724a34ee1b10c1c14

      SHA1

      50d2a3a79848fd0338a335be08e245d2193612e1

      SHA256

      4e8b2c4396e5548ed40864cf715a37700baa91bf819653082a1f4934717b1546

      SHA512

      4095fcb969bdb0d49ffbd6d99ad1912152814408f05c5267319913bfb33caf5da8f6e60d15e1b4ced6f69878ef61a7e486961f2f608d8efd49fe60de738635dd

      Download Submit

    • C:\Users\Admin\Favorites\Links\Read Me!.hTa
      Filesize

      7KB

      MD5

      b9856ca79007c0533747ab13032dc915

      SHA1

      16edfbbda5c7d87285092064adf5f2979a7275e8

      SHA256

      d746d756d3ca002563d3279ce9066c3b237cea73890fc3aefc7d7fdeab66f6e1

      SHA512

      58a003e02f85474d4a5b1f3cf6796f1df7941e37a8bde7511b88fc6bd97458acbebf19ad99bc2d0c47c7f4e3ea0f80a99bbad74052e8b92ab9d2ffe949f5871f

      Download Submit

    • C:\Users\Admin\Favorites\Read Me!.hTa
      Filesize

      7KB

      MD5

      b9856ca79007c0533747ab13032dc915

      SHA1

      16edfbbda5c7d87285092064adf5f2979a7275e8

      SHA256

      d746d756d3ca002563d3279ce9066c3b237cea73890fc3aefc7d7fdeab66f6e1

      SHA512

      58a003e02f85474d4a5b1f3cf6796f1df7941e37a8bde7511b88fc6bd97458acbebf19ad99bc2d0c47c7f4e3ea0f80a99bbad74052e8b92ab9d2ffe949f5871f

      Download Submit

    • C:\Users\Admin\Pictures\Camera Roll\Read Me!.hTa
      Filesize

      7KB

      MD5

      b9856ca79007c0533747ab13032dc915

      SHA1

      16edfbbda5c7d87285092064adf5f2979a7275e8

      SHA256

      d746d756d3ca002563d3279ce9066c3b237cea73890fc3aefc7d7fdeab66f6e1

      SHA512

      58a003e02f85474d4a5b1f3cf6796f1df7941e37a8bde7511b88fc6bd97458acbebf19ad99bc2d0c47c7f4e3ea0f80a99bbad74052e8b92ab9d2ffe949f5871f

      Download Submit

    • C:\Users\Admin\Pictures\Saved Pictures\Read Me!.hTa
      Filesize

      7KB

      MD5

      b9856ca79007c0533747ab13032dc915

      SHA1

      16edfbbda5c7d87285092064adf5f2979a7275e8

      SHA256

      d746d756d3ca002563d3279ce9066c3b237cea73890fc3aefc7d7fdeab66f6e1

      SHA512

      58a003e02f85474d4a5b1f3cf6796f1df7941e37a8bde7511b88fc6bd97458acbebf19ad99bc2d0c47c7f4e3ea0f80a99bbad74052e8b92ab9d2ffe949f5871f

      Download Submit