Overview

overview

10

Static

static

star.exe

windows7_x64

10

star.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-06-2022 16:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    star.exe

  • Size

    360KB

  • MD5

    2f121145ea11b36f9ade0cb8f319e40a

  • SHA1

    d68049989ce98f71f6a562e439f6b6f0a165f003

  • SHA256

    59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

  • SHA512

    9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���11 5D 33 7B F0 90 28 54 08 D5 EA A6 22 94 30 4B 7F 61 F4 EB 62 76 34 9B 01 00 81 F8 D3 1D 9D 7A 00 40 9D 70 51 42 F4 3B 6B 4F 9D 0F AF A9 07 BC FA 6F 5C 90 5F CD 35 23 9D 91 EE 22 5E 91 FE 5D FC 7B EE 6C B3 44 5F CC 97 B9 BA 89 6A 6E 73 3E A2 1F A7 6F B3 9B 90 D2 82 FB E4 20 76 58 95 93 89 ED FA A3 F7 73 DE 7B 9F E3 CD 94 57 71 04 88 28 24 CF 70 7E D5 D4 D8 9E 17 EF D5 73 7F A2 26 3D 70 6B 7C 2B F9 17 98 68 CF 51 85 5E 6B A2 89 60 95 5A EE 88 35 61 DF 13 95 4C 94 34 B5 C1 13 4E 98 44 1D 6B 92 C1 B9 8F 1E F4 79 A5 E4 65 7F A5 E2 E7 CC AA 2D 8C F4 75 8A 3F 92 2C 1E 0F C2 42 59 28 55 98 D0 80 D4 99 77 79 76 9A 33 85 B4 C0 D2 3B 1F DE 63 FA 0F BF E3 79 56 97 78 18 30 C4 1E B7 F6 E8 03 3C C1 1D 51 E4 EF A2 C9 63 E0 FD DB C6 39 2F 7F 06 97 8A 11 E3 DC 18 6F F4 A1
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 26 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\star.exe
    "C:\Users\Admin\AppData\Local\Temp\star.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1208
    • C:\Users\Admin\AppData\Local\Temp\star.exe
      "{path}"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      PID:320

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp
    Filesize

    1KB

    MD5

    27cb4ca940005c867da111b7fc422907

    SHA1

    bee062cdbafd01a56586c42da8b8974ef05077b0

    SHA256

    ef8edea78648042891efe5100ec476a326efe4202bcd6d8e0c2c20cac7ac7b47

    SHA512

    b20a747da044d45129c177d4d6b46560e11395d7d265de7674c31e100df9009db659a64b689000270cfc734c499ac3b4fc2d2ae07c72682f10742e735abf1c5e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe
    Filesize

    360KB

    MD5

    50f5b3f99a60e89c482689212e6c84c7

    SHA1

    da8559943ff158cedc14ae639b1b1f767afbe536

    SHA256

    bcfbc45332b2105520ad1d6a0a7140963f5e04cac7726f10b6e4f12547d9f4b9

    SHA512

    7e2e7e3d20bc6e82efdd8b8b658845ae3b4eb058e24e50f3628424eb61d8cd26bf4ae76110632f453515ebd8af03e9144d8a7d4c027d36e0e17a3205d162d09f

    Download Submit

  • memory/316-70-0x0000000071260000-0x0000000071F7D000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/316-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/316-54-0x00000000008E0000-0x0000000000940000-memory.dmp

    Filesize

    384KB

    Download

  • memory/316-59-0x0000000072120000-0x00000000722F1000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/316-60-0x0000000071F80000-0x0000000072114000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/316-61-0x0000000071260000-0x0000000071F7D000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/316-62-0x0000000071160000-0x000000007125C000-memory.dmp

    Filesize

    1008KB

    Download

  • memory/316-64-0x0000000070A20000-0x000000007115E000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/316-63-0x00000000002C0000-0x00000000002CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/316-65-0x00000000708C0000-0x0000000070989000-memory.dmp

    Filesize

    804KB

    Download

  • memory/316-66-0x0000000072D10000-0x000000007409F000-memory.dmp

    Filesize

    19.6MB

    Download

  • memory/316-67-0x0000000072300000-0x0000000072D10000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/316-68-0x0000000072120000-0x00000000722F1000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/316-69-0x0000000071F80000-0x0000000072114000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/316-58-0x0000000074330000-0x0000000074B10000-memory.dmp

    Filesize

    7.9MB

    Download

  • memory/316-72-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

    Download

  • memory/316-57-0x0000000072300000-0x0000000072D10000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/316-71-0x0000000004BD0000-0x0000000004C36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/316-56-0x0000000072D10000-0x000000007409F000-memory.dmp

    Filesize

    19.6MB

    Download

  • memory/316-88-0x0000000071260000-0x0000000071F7D000-memory.dmp

    Filesize

    13.1MB

    Download

  • memory/316-86-0x0000000071F80000-0x0000000072114000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/316-85-0x0000000072120000-0x00000000722F1000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/316-84-0x0000000072300000-0x0000000072D10000-memory.dmp

    Filesize

    10.1MB

    Download

  • memory/316-83-0x0000000072D10000-0x000000007409F000-memory.dmp

    Filesize

    19.6MB

    Download

  • memory/320-82-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/320-79-0x0000000000409F20-mapping.dmp

    Download

  • memory/320-78-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/320-76-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/320-75-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/320-87-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1208-73-0x0000000000000000-mapping.dmp

    Download