globeimposter | 935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c

General

Target

935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
Size

409KB
MD5

ca5f6009311c61f27ad3be2914b9fc59
SHA1

d20a8fef26ee4d833ee81c2bd6aaa8a06f322562
SHA256

935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c
SHA512

4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

Score

10^/10

globeimposter lockbit persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��39 BA 3C 4B F4 5C E0 FD D4 55 A9 60 1C F5 6D 0B AD 54 01 E8 4A 98 2B F7 45 0B 4F 41 B3 87 67 19 97 43 15 E1 29 84 23 F3 B5 60 5F D9 82 78 34 3E 25 96 DC 6F 9B 57 94 19 20 10 8A 15 C5 97 23 C3 DF D6 11 CB 4C 06 99 7A 63 2C 55 ED A0 91 D5 E0 63 0D 5D 7D DE 02 3C 8F 8F C5 75 5E D8 F9 FF 51 79 B5 78 20 3F 8C 10 FD 56 C7 F8 CD E9 F3 18 F4 E3 A7 33 2E 70 E8 20 EB F3 5E 54 2A 1F 92 A7 60 60 1A 3F 67 24 1A D7 F8 98 AF E8 C2 C4 DA 71 76 E9 BB BD A3 A3 2D B9 D0 6B 51 33 00 C5 C3 3D 70 DC 95 D2 B9 ED 6F 1F AA 4C 62 82 3B 58 C0 F7 EA C9 60 BD C1 81 AE 02 B2 DD EE AC BE 79 01 FC 52 91 C7 DE 89 D3 1A 6D 69 1F B7 68 FC 29 6C EC 47 58 43 3E F3 E8 45 08 5A 05 E6 24 6B 07 53 73 F6 7B B7 9B 4F F5 87 7D CF 04 FB BD 59 0E 78 71 A3 5D 69 AD 18 FD AC 94 DD 16 C0 5B 8C 73 A9 6C 8C ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Executes dropped EXE 2 IoCs

pid	Process
1552	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
3436	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\EnableFormat.tiff => C:\Users\Admin\Pictures\EnableFormat.tiff.DOCM	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File renamed	C:\Users\Admin\Pictures\MoveTrace.tif => C:\Users\Admin\Pictures\MoveTrace.tif.DOCM	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File renamed	C:\Users\Admin\Pictures\RestoreTrace.png => C:\Users\Admin\Pictures\RestoreTrace.png.DOCM	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File renamed	C:\Users\Admin\Pictures\SendUse.raw => C:\Users\Admin\Pictures\SendUse.raw.DOCM	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File renamed	C:\Users\Admin\Pictures\StopProtect.png => C:\Users\Admin\Pictures\StopProtect.png.DOCM	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Pictures\EnableFormat.tiff	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File renamed	C:\Users\Admin\Pictures\LimitRestore.png => C:\Users\Admin\Pictures\LimitRestore.png.DOCM	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File renamed	C:\Users\Admin\Pictures\RevokeMove.raw => C:\Users\Admin\Pictures\RevokeMove.raw.DOCM	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File renamed	C:\Users\Admin\Pictures\SplitUnlock.png => C:\Users\Admin\Pictures\SplitUnlock.png.DOCM	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Desktop\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Public\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 3436	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe\:Zone.Identifier:$DATA	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
File created	C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2712	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	91
PID 2192 wrote to memory of 2712	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	91
PID 2192 wrote to memory of 2712	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	91
PID 2192 wrote to memory of 4708	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	93
PID 2192 wrote to memory of 4708	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	93
PID 2192 wrote to memory of 4708	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	93
PID 2192 wrote to memory of 1552	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	100
PID 2192 wrote to memory of 1552	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	100
PID 2192 wrote to memory of 1552	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	100
PID 2192 wrote to memory of 3436	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	101
PID 2192 wrote to memory of 3436	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	101
PID 2192 wrote to memory of 3436	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	101
PID 2192 wrote to memory of 3436	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	101
PID 2192 wrote to memory of 3436	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	101
PID 2192 wrote to memory of 3436	2192	935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe	101

C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
"C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:4708
- C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
  "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe
  "C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - NTFS ADS
  PID:3436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

Filesize
409KB

MD5
ca5f6009311c61f27ad3be2914b9fc59

SHA1
d20a8fef26ee4d833ee81c2bd6aaa8a06f322562

SHA256
935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c

SHA512
4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c.exe

Filesize
409KB

MD5
ca5f6009311c61f27ad3be2914b9fc59

SHA1
d20a8fef26ee4d833ee81c2bd6aaa8a06f322562

SHA256
935618441af5a6a841621b34a836050eddbfd8a8b09aaf5effb917e6c1804f3c

SHA512
4823125186d614a40b5356b042ea893a71be12930e5b5f454a6fb0b99ba90cf00f29919fe9ac9f9f793ae7a51cf8a2334a31727e14bbfdb393566ad3023eabfa

Download Submit
memory/2192-138-0x0000000000A00000-0x0000000000A9C000-memory.dmp

Filesize
624KB

Download
memory/2192-134-0x0000000005DE0000-0x0000000005E02000-memory.dmp

Filesize
136KB

Download
memory/2192-135-0x00000000066D0000-0x0000000006C74000-memory.dmp

Filesize
5.6MB

Download
memory/2192-137-0x0000000006120000-0x00000000061B2000-memory.dmp

Filesize
584KB

Download
memory/2192-130-0x0000000000220000-0x000000000028A000-memory.dmp

Filesize
424KB

Download
memory/2192-133-0x0000000005F50000-0x0000000006112000-memory.dmp

Filesize
1.8MB

Download
memory/2192-131-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/3436-142-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3436-145-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3436-146-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads