Overview

overview

10

Static

static

08f7c2a8b1...17.exe

windows7_x64

10

08f7c2a8b1...17.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    30-05-2022 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517.exe

  • Size

    270KB

  • MD5

    b44f00cb1edb37de99b3433e1923690f

  • SHA1

    214e0da093d49cfc4ff6c34515767dc079daaeed

  • SHA256

    08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517

  • SHA512

    529c279d2cf5ab854adf02d47924fa351a21c58a912323b164da4c3840a52376ef74a4b021fcf610794b3b1d99b3775365d21041404038bc3ca1101e6b0641c8

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������7C 71 F0 A6 D9 56 79 97 51 03 1E 1A 84 4A BC 23 25 09 60 F8 11 E8 CC 78 19 ED 25 09 6F A0 2F 78 5B BF 17 D4 AB 88 B5 23 6B C3 31 9F 48 F5 9C A6 98 F8 79 FA F6 9D D6 D5 12 CD 63 39 D0 45 0E 9B 94 40 F5 03 DE AC 56 A6 2B 90 01 03 E3 48 D7 87 6F 27 99 A8 35 9E B2 6D 87 3C 0C 22 51 3C 68 31 C6 D9 80 D7 A9 A1 2A FA CA C6 6F FF 16 6A 51 A4 F5 BE 24 83 C0 FA 14 6A 57 B2 4C E6 AC 7B 92 4C 3A 52 5A 94 C7 71 D7 24 43 4A 6C 48 5E 30 32 5A 7D F0 0E 46 D5 2C F5 06 27 58 79 18 0E 98 88 A1 9F E1 14 50 17 BC B6 85 AA FE 4B 63 D8 A1 D0 84 55 1F 63 B0 B2 A2 6E A5 00 B9 B0 F5 5F B0 CB AA A9 BE D2 B2 3E 00 C3 89 00 C5 0F FC 61 C4 E1 A5 0A 9C 29 88 2A C4 BE 4F 21 B3 FB BB E1 CC D3 DB F3 FD BE EE AA 53 C9 06 10 EF 78 7A A2 4D 26 49 43 2C 4F 72 75 9F 63 2C 44 BD 79 05 17 70 C7 99 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 27 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • NTFS ADS 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517.exe
    "C:\Users\Admin\AppData\Local\Temp\08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:588
    • C:\Users\Admin\AppData\Local\Temp\08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517.exe
      "C:\Users\Admin\AppData\Local\Temp\08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • NTFS ADS
      PID:1064

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517.exe
    Filesize

    270KB

    MD5

    b44f00cb1edb37de99b3433e1923690f

    SHA1

    214e0da093d49cfc4ff6c34515767dc079daaeed

    SHA256

    08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517

    SHA512

    529c279d2cf5ab854adf02d47924fa351a21c58a912323b164da4c3840a52376ef74a4b021fcf610794b3b1d99b3775365d21041404038bc3ca1101e6b0641c8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517.exe
    Filesize

    270KB

    MD5

    b44f00cb1edb37de99b3433e1923690f

    SHA1

    214e0da093d49cfc4ff6c34515767dc079daaeed

    SHA256

    08f7c2a8b124972c88f685d28e19b7a4dfdf63a4d2aabf3bb2672900d11fd517

    SHA512

    529c279d2cf5ab854adf02d47924fa351a21c58a912323b164da4c3840a52376ef74a4b021fcf610794b3b1d99b3775365d21041404038bc3ca1101e6b0641c8

    Download Submit

  • memory/548-70-0x000000006FEF0000-0x0000000070084000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/548-69-0x00000000742E0000-0x000000007431B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/548-54-0x0000000000E30000-0x0000000000E78000-memory.dmp

    Filesize

    288KB

    Download

  • memory/548-59-0x00000000748F0000-0x00000000749EC000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/548-60-0x00000000713E0000-0x0000000071B1E000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/548-61-0x00000000004E0000-0x000000000050A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/548-62-0x0000000070680000-0x00000000713D6000-memory.dmp

    Filesize

    13.3MB

    Download

  • memory/548-63-0x0000000070360000-0x000000007067B000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/548-87-0x0000000072D10000-0x000000007409F000-memory.dmp

    Filesize

    19.6MB

    Download

  • memory/548-65-0x0000000000C30000-0x0000000000C38000-memory.dmp

    Filesize

    32KB

    Download

  • memory/548-88-0x000000006FEF0000-0x0000000070084000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/548-67-0x0000000000C40000-0x0000000000C4C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/548-68-0x0000000070090000-0x00000000701B3000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/548-55-0x0000000076181000-0x0000000076183000-memory.dmp

    Filesize

    8KB

    Download

  • memory/548-58-0x0000000071B20000-0x0000000072300000-memory.dmp

    Filesize

    7.9MB

    Download

  • memory/548-72-0x0000000072D10000-0x000000007409F000-memory.dmp

    Filesize

    19.6MB

    Download

  • memory/548-57-0x0000000072300000-0x0000000072D10000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/548-73-0x0000000072300000-0x0000000072D10000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/548-74-0x0000000071B20000-0x0000000072300000-memory.dmp

    Filesize

    7.9MB

    Download

  • memory/548-75-0x0000000000410000-0x000000000041C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/548-76-0x000000006FA50000-0x000000006FC21000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/548-56-0x0000000072D10000-0x000000007409F000-memory.dmp

    Filesize

    19.6MB

    Download

  • memory/548-71-0x000000006DF20000-0x000000006EC3D000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/1064-89-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1064-86-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1064-81-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1064-79-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1064-78-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download