Overview

overview

10

Static

static

131ca56bb5...44.exe

windows7_x64

10

131ca56bb5...44.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    166s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    03-06-2022 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    131ca56bb58b9fc68b7cc595e534208625bb9230d7d5b42e747ca4fa1945e044.exe

  • Size

    361KB

  • MD5

    3969f76be0d978d81cf587a7e8fab17a

  • SHA1

    2f69a78547ed0a7cb6869c237b50c6ed6c54cd77

  • SHA256

    131ca56bb58b9fc68b7cc595e534208625bb9230d7d5b42e747ca4fa1945e044

  • SHA512

    cdbebe34b661f449f9696c3bb2a27297b0e23e8e0b012d6a809c8a4ca12138fe2592170ea15c79076e3f9d3620f292a4847c48594459e207732e74037c14b2fc

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������55 23 B9 A3 7E 87 A6 DB AD E4 9B F7 1E 96 A7 35 71 DC BC C7 B8 93 C6 E1 77 C1 ED 54 F1 D9 E3 BF 1B 2C C5 DD 77 1A 46 1A F7 60 E8 74 4C 1F A1 8A 12 FB 0C 0D 6F 90 2B D2 48 F7 AA 05 5E A3 EB 97 3E 9A 1E E6 DC 04 A3 8F A9 B1 1E 12 59 A1 39 2F C3 35 0F 66 A5 39 9E 2A D3 00 DE B7 81 E5 27 0F F3 FB 79 F9 22 DD 9B 3B 97 6B 95 C5 CF 45 FE F0 8F 0F 76 A0 64 EE 57 71 8F 79 48 E2 5F D6 FA 1E 96 22 F6 E4 FC 1E D3 0B C9 FD AF F0 32 C0 FF 62 14 17 0E 51 FB 68 4E 19 7C 0D 9C 74 5A 5E 54 79 0F 6B 40 89 F6 3F CC F0 72 7A D0 40 56 AA B3 6A 3B 38 D3 89 24 9F E1 92 8A 8B 6B B0 A2 08 6B BB 84 54 30 EE 09 59 18 67 28 0E D4 9F E4 BE A8 A9 AC 8C 4B 99 CD CF 18 01 EB C8 49 3D BE 23 2F 09 75 5B 1E FF A8 E2 2D 95 DB 86 F9 3A AE 6A 87 07 56 11 6B E0 8D 27 B6 1E 42 65 52 AA D4 87 83 43 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 27 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\131ca56bb58b9fc68b7cc595e534208625bb9230d7d5b42e747ca4fa1945e044.exe
    "C:\Users\Admin\AppData\Local\Temp\131ca56bb58b9fc68b7cc595e534208625bb9230d7d5b42e747ca4fa1945e044.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\131ca56bb58b9fc68b7cc595e534208625bb9230d7d5b42e747ca4fa1945e044.exe
      "C:\Users\Admin\AppData\Local\Temp\131ca56bb58b9fc68b7cc595e534208625bb9230d7d5b42e747ca4fa1945e044.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      PID:1100

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1100-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1100-56-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download