Extracted

Extracted

• • Target

    08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517

  • Size

    270KB

  • MD5

    b44f00cb1edb37de99b3433e1923690f

  • SHA1

    214e0da093d49cfc4ff6c34515767dc079daaeed

  • SHA256

    08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517

  • SHA512

    529c279d2cf5ab854adf02d47924fa351a21c58a912323b164da4c3840a52376ef74a4b021fcf610794b3b1d99b3775365d21041404038bc3ca1101e6b0641c8

  Score

  10^/10

  globeimposterlockbitpersistenceransomwarespywarestealer

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit

  • Executes dropped EXE

  • Modifies extensions of user files

    Ransomware generally changes the extension on encrypted files.

    ransomware

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Suspicious use of SetThreadContext

  behavioral1behavioral2