Overview

overview

10

Static

static

067c2cfa9e...b3.exe

windows7_x64

10

067c2cfa9e...b3.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3

  • Size

    267KB

  • Sample

    220531-glwe8abhap

  • MD5

    7d67bbf0d095476eab63758fdc87fc59

  • SHA1

    34adeff5d484e149ba5bcb6e24475c53fa2ae332

  • SHA256

    067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3

  • SHA512

    b897fb073d25fd5dd052cf5733c40062d2c39649ce20d800ecbd1005f9d86e296c7e1a3455fc4251d24f2e9f45294b9a082ba28d9fbf410e9614c7bc514c7f84

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������80 4E 19 EB B4 97 3C A5 9C A9 99 BC 2C 5F 7C E4 97 8D B8 81 E3 98 FB 62 DD 00 D4 F9 6F CF 5D 9D 59 FE F6 D2 E7 58 C8 E3 D4 A1 D6 7E 67 B6 7F 6B 84 CD 9D CA A1 68 ED 3D FF 1C C4 ED D4 23 C8 FF D8 14 50 6D C1 70 86 1B FD 75 94 65 93 F6 E8 C7 5B 76 DD B5 B6 3E A4 B8 D2 BC E5 29 10 DE 98 C2 DE E5 52 D7 AC 8F 9A 4B A2 B3 96 91 11 41 1A AB 2A 9F F3 54 93 82 C5 E8 5C 20 AA 68 2E DA 96 CA F2 57 7E CC 4C 57 38 22 70 6A F2 30 16 CE D1 0F D9 8D FA 69 9F 9A 5D 1A 8C A4 ED C3 86 A3 12 D0 89 40 55 94 9E 47 3D 25 7F 92 B7 B2 93 59 7A 99 2B E2 2B 4A 42 DB 55 CE A9 27 BE 27 DA A3 68 6C EE 15 2B 87 89 BA 40 8D 56 2F 35 D2 B2 00 34 79 17 74 0D 3E 23 A3 FB 1A CB C1 76 BE B7 DF AA 8F 06 2D 4E 50 8C D4 7B 9B A1 88 C5 D2 4A 82 A7 BB 24 EF A1 AF D3 4B 8A DA C6 38 73 0B 78 76 7E 83 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������7C 46 E8 FF 8C 52 C4 61 BA 95 B2 85 58 BD BC F1 F8 4F 20 01 C8 BB 6B 43 25 56 87 B2 7E 94 78 3A A0 D1 C2 76 53 2A EC 24 01 89 6B 5C 45 A8 DF 18 26 B9 0C F0 5E EF C2 41 7C 72 42 42 82 33 4D DF C6 AC 2D 02 E8 43 B3 3D 67 79 C4 7D 7D CA 1A 90 D6 4F E2 96 50 D9 7D DE 96 FC 36 36 D8 64 19 57 9C 69 0E 4B A2 4F 1B 3A 52 42 C3 94 1C 42 93 F0 DD 5D 56 2B B5 BE F3 73 A6 FE C3 07 2A 21 87 FF D0 E2 77 A9 99 86 2C 74 54 3A A3 E0 4F 11 78 5C 8A 91 FC B0 48 D6 C7 8B 7C D5 48 E3 F8 1E 2D A4 14 DD 25 6B F3 88 CD 64 4F 6D 97 3D 62 68 2F EA 23 D1 93 C4 26 5A F2 BA A7 F4 8F D2 15 2A 73 F1 B0 84 A3 BC 89 BB 2F 4E E4 2E 70 2E 8E 67 E2 C3 3E 46 5E 71 ED 57 21 F4 15 9B 69 5E 91 39 81 D3 D7 F4 49 ED 81 D4 9D B1 2A CF CA 11 16 68 B3 C2 B3 3D 62 12 6B 65 1A 8F 8C 58 19 E5 E8 E3 F8 A8 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3

    • Size

      267KB

    • MD5

      7d67bbf0d095476eab63758fdc87fc59

    • SHA1

      34adeff5d484e149ba5bcb6e24475c53fa2ae332

    • SHA256

      067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3

    • SHA512

      b897fb073d25fd5dd052cf5733c40062d2c39649ce20d800ecbd1005f9d86e296c7e1a3455fc4251d24f2e9f45294b9a082ba28d9fbf410e9614c7bc514c7f84

    Score
    10/10
    globeimposterlockbitpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks