Analysis
-
max time kernel
159s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-05-2022 02:17
General
-
Target
star.exe
-
Size
360KB
-
MD5
2f121145ea11b36f9ade0cb8f319e40a
-
SHA1
d68049989ce98f71f6a562e439f6b6f0a165f003
-
SHA256
59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
-
SHA512
9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7
Malware Config
Extracted
C:\read-me.txt
globeimposter
http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV
http://helpqvrg3cc5mvb3.onion/
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 24 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\star.exe"C:\Users\Admin\AppData\Local\Temp\star.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE89.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\star.exe"{path}"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\star.exe"{path}"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5243998c586e102d5706d22e1ccdb5781
SHA1a8326b85c94e9f68b6a92c45551933fb5d5fdb52
SHA2564bcf513eb854417da91582ebb18b08b740bddb3fb6973f3693cbcf65c76b4331
SHA512720376589d9dcd21c138f4725b66a8b604b3d6691c61c3c980cc0cead4184da328906e669497276caee719363cdf09c19d11c4a4729983a7a632c817c0ab642d
-
Filesize
360KB
MD509dbea5dd7daa3bcb4318e5c2ab91f7c
SHA19dc5488b07ff8bd58d5ab292ab39c91b88a7d82b
SHA256217b6fc0f7b5f8c4956c5f7f6c30035923ce6c388be625e6b9aebba509d576f2
SHA512046dbe140ec99e1e11f39596a4608d266153c586426f2a0a32d7e5f9ea81191706db3c486939e86b9002fef16b81d104be70bd31f5a5c706a24d96adaba2c924
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
384KB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB