Overview

overview

10

Static

static

star.exe

windows7_x64

10

star.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    22-05-2022 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    star.exe

  • Size

    360KB

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���8E 93 7F E0 82 CF 1C 8B 6B F3 E4 1E B2 44 25 D2 68 76 16 CA B1 58 B8 9E D4 63 98 4F 18 11 EB 31 68 4F C1 8C 1D DF E1 BA 9A F1 D4 8E ED 69 8F 3D D5 46 9D 1C 56 4C F2 69 5C 8C 2B 14 18 D4 A4 91 42 7E 9A 53 19 0C 3E E1 7C ED 71 18 1A 2D C1 73 29 8A 62 D6 3E A9 24 36 56 FA 8F 24 A9 BB 0B 95 FC 94 A1 B5 40 FF A5 24 2C 31 7E 53 E2 4B 9B 12 57 51 D0 9A E7 B9 90 06 A6 B8 EB 9B 3D A8 59 65 58 C4 32 6A 51 AC 99 A5 79 51 B8 E3 70 C0 0B A6 20 AC 76 85 B9 79 37 AB E8 8D 04 61 88 58 59 14 27 D6 0B 43 E7 39 3B 20 8F 60 17 8B F8 FF 9B EF 8F E3 89 3C ED 4B 04 1A 33 03 D0 31 EE 89 B8 1B B7 EE D0 55 BF C4 AE FD A3 F3 44 FA 4A 2A 82 72 F2 B3 42 EE 7A B3 1E 2B 5A DA 96 5B BC 26 58 AF 00 49 A7 24 18 9A 54 97 70 28 C3 91 CE 39 99 0E 71 55 92 8C 91 06 CE 79 0B 9A A1 25 3F E1 06 FA
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 26 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\star.exe
    "C:\Users\Admin\AppData\Local\Temp\star.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB52D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2020
    • C:\Users\Admin\AppData\Local\Temp\star.exe
      "{path}"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      PID:816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpB52D.tmp
    Filesize

    1KB

    MD5

    efef11175efa67cf47fdfc5d674fc3ba

    SHA1

    84b712204ffb9f24ef7953707986d80ef57e4001

    SHA256

    52b0fa5fd3c4263bb136cec86f505c8127876fb65f4a3c9d0463d9bf7f05a707

    SHA512

    279dbdddaf5aeb2b37a33adb69a30d3f301699fa83162d943b5d548fb28d93037c195bb3b0506e90dc81a05bada14215cb3cb86d6077d153192d4bdc7d6d0c38

    Download Submit

  • C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe
    Filesize

    360KB

    MD5

    df412d2fb14ddf0f111e836139170776

    SHA1

    c489a70161c6fa3cfe71921af372da3fbb10b2f1

    SHA256

    91fc6bd619163d74ea7861ddb3536b67d8d75fe3405a5ad899bb9002008771da

    SHA512

    751630fcb94df060b21141b7daafe585fb2eb3601b2bd00f4c5f75b430ac5ccd979bc2f332ec74fff52eb8dd5e11a91ed619d947632a0ec8562779c7ebe4a1d1

    Download Submit

  • memory/816-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/816-61-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/816-62-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/816-68-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/816-69-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1580-57-0x0000000004CE0000-0x0000000004D46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1580-58-0x0000000000620000-0x0000000000632000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1580-56-0x0000000000440000-0x000000000044A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1580-54-0x0000000000980000-0x00000000009E0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1580-55-0x0000000076811000-0x0000000076813000-memory.dmp

    Filesize

    8KB

    Download