Overview

overview

10

Static

static

215afd5082...bf.exe

windows7_x64

10

215afd5082...bf.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf

  • Size

    256KB

  • Sample

    220612-kr5gvsadd5

  • MD5

    18110f51034492e14fc11dc9afa19d46

  • SHA1

    efa6ac306cbb3dcea1d4082bc17feb6e17957e4b

  • SHA256

    215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf

  • SHA512

    5c6cc348f4d64b561aab2bdce05d9b5c71907044562c6950c480d37b7691ace9f3d9ca74e64971d77e46bb009cc1c7566a92f58443af0b65811c94d210965594

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������84 D7 9F B2 F4 80 1E 25 F3 E8 09 DC DA 2A BF 75 30 4E 77 19 68 1B 42 28 E2 BB FA A0 E3 40 19 77 41 FF 03 56 2F 2D A1 C1 89 E8 43 19 19 25 77 BE 6E 24 64 D8 1B 49 DB 33 D9 2F A4 14 5F BE 01 29 E3 9A B5 BB E3 84 B4 78 17 D2 91 9F 41 10 80 CC E3 4A 63 3A B1 32 40 8C B6 BF 6C 10 2B FB AF BD 1C 01 E9 84 35 C2 2C B0 B1 1D EF 68 31 78 31 F1 6F 2D F6 7C 88 08 DF 47 87 2B 9D AA 89 94 95 D3 B6 90 1E 95 BD B4 76 5B 3D CB 9E 8E 49 7A 0B 48 EF C0 81 42 7A 58 6B 05 B4 51 B3 24 25 AA 88 BE 08 0E 33 DC 38 FA 03 91 48 EC 6D A1 E8 97 0F 4A 95 C8 2F 6B 0B E5 8F 77 42 9A 6F A0 C3 28 5D F5 DA D0 41 C3 51 D5 E8 64 12 1D 46 3F BC D6 2C 42 CC 4E 0B ED 46 20 65 6B 4E C4 71 A5 64 AC 68 7B 5C F4 16 B3 46 66 2D 93 E7 A1 9C 98 E8 54 C2 2B 68 E6 52 83 26 77 1D 83 2F DB A3 EF CF DA DC E6 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf

    • Size

      256KB

    • MD5

      18110f51034492e14fc11dc9afa19d46

    • SHA1

      efa6ac306cbb3dcea1d4082bc17feb6e17957e4b

    • SHA256

      215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf

    • SHA512

      5c6cc348f4d64b561aab2bdce05d9b5c71907044562c6950c480d37b7691ace9f3d9ca74e64971d77e46bb009cc1c7566a92f58443af0b65811c94d210965594

    Score
    10/10
    globeimposterlockbitpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks