Overview

overview

10

Static

static

935618441a...3c.exe

windows7_x64

10

935618441a...3c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

  • Size

    409KB

  • MD5

    ca5f6009311c61f27ad3be2914b9fc59

  • SHA1

    d20a8fef26ee4d833ee81c2bd6aaa8a06f322562

  • SHA256

    935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c

  • SHA512

    4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

Score
10/10
globeimposterlockbitpersistenceransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������56 57 9C 8D 44 43 25 E3 E8 AD 00 74 2C A9 7B B6 1C 82 90 94 60 CF 4C 73 FD F3 88 00 17 7B EE 62 C7 02 3C B3 A6 1F 71 28 8D B1 E9 33 F5 83 EB 05 42 AB 8E 02 8D 86 73 C3 02 A9 6A 9C DC 7C 7F D0 F6 A8 0F 35 88 CD 4F 10 03 E3 14 B4 DA E2 3A B6 5F F2 4B 23 6D 45 73 77 68 D2 98 3E F9 4A 0C 10 AC 9B 16 F6 72 7F 0C 3E 31 FE 5F 8A B3 70 B8 49 AE BF 5D 44 C9 02 CC 36 D8 CB C9 8B 56 97 A8 F2 A4 B0 04 D0 7C F0 C3 6F E9 39 8E 42 C7 31 7B B7 5D 16 E1 B9 92 4E F6 F7 DB E3 65 81 20 6A C4 18 C1 BD 1E D4 78 45 62 F3 9E 36 9D E7 43 56 38 DA 0A 44 A9 5E 7B EE 46 75 61 43 F9 46 4F F3 6B 63 2B A0 43 85 D1 17 C4 2C CF 67 DD 02 FF C9 23 32 C7 78 F2 A2 E0 D6 5D 4F FA 66 F6 95 78 49 3C 78 B5 22 4C 3B 26 CD F7 26 E1 62 CD B3 2E 16 90 74 F2 20 76 F9 8C 28 C8 D2 CA 05 A2 60 F0 87 D2 EC ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
    "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:1640
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:660
    • C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
      "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • NTFS ADS
      PID:744

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
    Filesize

    409KB

    MD5

    ca5f6009311c61f27ad3be2914b9fc59

    SHA1

    d20a8fef26ee4d833ee81c2bd6aaa8a06f322562

    SHA256

    935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c

    SHA512

    4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

    Download Submit

  • \Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
    Filesize

    409KB

    MD5

    ca5f6009311c61f27ad3be2914b9fc59

    SHA1

    d20a8fef26ee4d833ee81c2bd6aaa8a06f322562

    SHA256

    935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c

    SHA512

    4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

    Download Submit

  • memory/744-63-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/744-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/744-66-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/744-71-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/744-72-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1276-58-0x0000000004180000-0x0000000004188000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1276-60-0x0000000004190000-0x000000000419C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1276-61-0x00000000041C0000-0x00000000041CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1276-56-0x0000000000440000-0x000000000046A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1276-54-0x0000000000CD0000-0x0000000000D3A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1276-55-0x0000000075E41000-0x0000000075E43000-memory.dmp

    Filesize

    8KB

    Download