Overview

overview

10

Static

static

star.exe

windows7_x64

10

star.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-05-2022 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    star.exe

  • Size

    360KB

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���29 90 AF 7F 59 31 3A 1C 72 BC 98 3E A8 44 59 89 94 4D A6 6A 2E B4 82 D5 1E A8 E6 A6 D2 8A 65 A3 27 C2 11 98 58 8A 27 C9 E0 ED 22 58 D0 F4 DF 0D 2D 25 7A 51 B5 C0 85 9A 5F A1 BB D8 45 15 14 07 E4 8D 3C ED 64 6A 76 74 D6 63 50 63 FF E7 FC 17 A8 B1 0B 53 31 E9 54 35 61 AF F4 F7 21 D5 15 BE 25 14 19 AD D7 7C FD AE 76 E0 11 7D D4 5A 73 E2 B5 80 68 9D 64 55 3D EC DA E4 EC 59 60 9C 82 FD 18 E2 49 C3 32 39 BF AF D2 D4 7C 0F FF 3F AB 57 D1 40 F2 02 70 B9 BA 58 82 2C 6E B2 2C 45 7D 04 70 A7 41 2D 0D B4 5C BD 7D 0F 70 D4 15 D3 30 21 30 23 FC 0A 32 B8 C3 95 81 C2 79 30 8A FD 6F 77 B9 F2 86 BE 3A 98 92 C7 9E 4D 47 F3 FD 42 55 B4 04 7E 73 4A 94 BD 87 FA AB 15 0C 01 2D C3 08 B7 57 55 1A BE 36 43 EC 61 22 E2 A2 3F C7 51 A9 A1 17 56 88 EA 39 57 97 81 53 EE 41 C0 2C D0 B2 49
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 27 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\star.exe
    "C:\Users\Admin\AppData\Local\Temp\star.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp126F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1012
    • C:\Users\Admin\AppData\Local\Temp\star.exe
      "{path}"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      PID:4372

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp126F.tmp
    Filesize

    1KB

    MD5

    4bde616f078f2593375e5966c68e783a

    SHA1

    f681ce2e5bbec94479f4c59559192ba9b6faaa19

    SHA256

    6ec599cb26599957903da52179aec5a7d77dc0a2ede351498887293c1d064741

    SHA512

    36e17347804072588fc0600a9d45573876ad24393bda3396c34589565cf72fef3c02185966fbb1bb61867b08c7d9ba5b354b24b66285d8a577c04cf68364fa92

    Download Submit

  • C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe
    Filesize

    360KB

    MD5

    8c1181f3bbd60482a60fcd6cecdc80da

    SHA1

    258231f7d5dee531063f0b45a460c15cc3b70c72

    SHA256

    8c26c6e5a4849b9edd3a24ed93872b4b8344f2db5da7bdd8a89151640947df6c

    SHA512

    8d2e0fda3d9a54ea490870fd7ccadfa9476a848a4c84e35d04a35bd0eff64ddf88549cdc473ca11c561daf8e1ca183aec5da067be877de0744fc33884ce07a1f

    Download Submit

  • memory/2416-133-0x0000000004CE0000-0x0000000004D72000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2416-134-0x0000000004BF0000-0x0000000004BFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2416-135-0x0000000004EE0000-0x0000000004F36000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2416-130-0x0000000000340000-0x00000000003A0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2416-132-0x0000000005290000-0x0000000005834000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2416-131-0x0000000004C40000-0x0000000004CDC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4372-139-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4372-141-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4372-142-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download