Overview

overview

10

Static

static

57358385c4...53.exe

windows7_x64

10

57358385c4...53.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

  • Size

    235KB

  • Sample

    220523-3zp19adefj

  • MD5

    beca53ebe027a5200ae7b0158f2d742b

  • SHA1

    1af422f5bd6f4c4ba570fcd4b823c86f675af85b

  • SHA256

    57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

  • SHA512

    82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

Score
10/10
globeimposterlockbitpersistenceransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������81 F3 2B 4E 00 18 D2 15 8C 11 F0 E9 EE 9F AE 9D 7B AD 77 A2 E5 08 5F DF 98 49 93 35 B1 39 59 2F 03 E7 60 DE B6 C2 BE FC 93 EF 44 57 64 70 BB 81 D4 6D FF A7 A6 61 0A 66 EB F7 90 E8 B9 56 32 01 A3 95 C9 37 CA 00 3B 5F 02 CC 0A 23 3F E9 16 8F B8 5B E9 AE 71 C3 B6 2D B0 D6 49 E6 1B E2 AA 67 A7 2D B3 3B 44 58 D8 EC 33 F6 CF 8A 9C 9A A7 26 4C 39 F1 AA D8 E9 6A 54 78 F2 26 D1 3C ED 22 B5 85 DB 67 77 FF DF 74 77 98 5F 29 10 A0 D7 33 6B E1 A1 A2 1B 25 4B 4C 40 2A AB 52 48 6B 06 73 F1 E5 9A BD F6 5F A9 4A 89 F2 7D 34 72 48 21 81 9F 2E 7F A8 E1 74 9F 50 5A 57 0B 3B 28 D9 37 B1 24 F8 74 62 DF D2 3A 1A C4 64 E9 55 ED 00 4C 42 E0 BC 50 E1 66 0F D2 FA A6 BB 48 C7 87 C6 F1 0E ED FE F1 C7 6A 91 EF C1 DB F1 AD 0A 67 D8 90 FC FF 6A 08 8D 97 D0 4E E3 F5 1A 90 5A 8B A5 5A 8B A3 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������83 41 3E D8 9A 2E 92 01 7A 7A 7B 5B 57 D8 D6 7E A7 3B FE E7 F9 42 6E 3D 79 6B B5 B8 F1 8F 12 F6 E3 1C 39 54 A9 CB A1 DD 78 BA 1E A3 B1 3D 29 1D 2A AA E1 79 CF 5F B8 FA 3A 5D 48 6E A0 A7 34 C1 DA FD 04 7D 31 47 93 37 70 63 D5 EF 1E A3 4A 19 B6 D5 C3 CB 7E EA 99 AA 25 66 02 A8 55 BD 54 83 84 6B B2 16 21 9B FD 5A 94 4F 86 03 28 F3 01 22 15 70 1E 2C 61 0E 6E E1 22 88 DA 55 BC AE 13 A3 83 84 8F 6A 77 D9 6C F3 59 17 96 C4 9E 50 14 C5 E7 B9 E1 3A 58 C0 29 42 8D 64 4A 73 55 9E EB D4 02 90 39 AC B9 4A E8 81 28 99 FA 55 5E 3A A5 DA B3 4B 60 8A 86 09 77 F3 08 82 59 08 B1 35 B1 BB 01 DC 4A 69 5F 36 6B A6 C7 D8 21 11 95 DE 6A 97 B7 C0 F5 A5 A6 E2 01 72 6B 5D 5E F3 1B 1F D8 45 B9 05 28 3B 1C 41 40 FF BE D7 5E 62 04 85 44 5B D7 6B E2 52 98 8D 9C 9D 1A 72 17 9C C6 24 84 E7 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

    • Size

      235KB

    • MD5

      beca53ebe027a5200ae7b0158f2d742b

    • SHA1

      1af422f5bd6f4c4ba570fcd4b823c86f675af85b

    • SHA256

      57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

    • SHA512

      82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

    Score
    10/10
    globeimposterlockbitpersistenceransomware

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks