globeimposter | 215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf

Analysis

max time kernel
150s
max time network
165s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-06-2022 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
Size

256KB
MD5

18110f51034492e14fc11dc9afa19d46
SHA1

efa6ac306cbb3dcea1d4082bc17feb6e17957e4b
SHA256

215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf
SHA512

5c6cc348f4d64b561aab2bdce05d9b5c71907044562c6950c480d37b7691ace9f3d9ca74e64971d77e46bb009cc1c7566a92f58443af0b65811c94d210965594

Score

10^/10

globeimposter lockbit persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��84 D7 9F B2 F4 80 1E 25 F3 E8 09 DC DA 2A BF 75 30 4E 77 19 68 1B 42 28 E2 BB FA A0 E3 40 19 77 41 FF 03 56 2F 2D A1 C1 89 E8 43 19 19 25 77 BE 6E 24 64 D8 1B 49 DB 33 D9 2F A4 14 5F BE 01 29 E3 9A B5 BB E3 84 B4 78 17 D2 91 9F 41 10 80 CC E3 4A 63 3A B1 32 40 8C B6 BF 6C 10 2B FB AF BD 1C 01 E9 84 35 C2 2C B0 B1 1D EF 68 31 78 31 F1 6F 2D F6 7C 88 08 DF 47 87 2B 9D AA 89 94 95 D3 B6 90 1E 95 BD B4 76 5B 3D CB 9E 8E 49 7A 0B 48 EF C0 81 42 7A 58 6B 05 B4 51 B3 24 25 AA 88 BE 08 0E 33 DC 38 FA 03 91 48 EC 6D A1 E8 97 0F 4A 95 C8 2F 6B 0B E5 8F 77 42 9A 6F A0 C3 28 5D F5 DA D0 41 C3 51 D5 E8 64 12 1D 46 3F BC D6 2C 42 CC 4E 0B ED 46 20 65 6B 4E C4 71 A5 64 AC 68 7B 5C F4 16 B3 46 66 2D 93 E7 A1 9C 98 E8 54 C2 2B 68 E6 52 83 26 77 1D 83 2F DB A3 EF CF DA DC E6 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Executes dropped EXE 1 IoCs

pid	Process
1068	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ExitPop.png => C:\Users\Admin\Pictures\ExitPop.png.DOCM	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Pictures\MountRevoke.tiff	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File renamed	C:\Users\Admin\Pictures\MountRevoke.tiff => C:\Users\Admin\Pictures\MountRevoke.tiff.DOCM	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File renamed	C:\Users\Admin\Pictures\PingMount.crw => C:\Users\Admin\Pictures\PingMount.crw.DOCM	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File renamed	C:\Users\Admin\Pictures\TestConnect.raw => C:\Users\Admin\Pictures\TestConnect.raw.DOCM	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe

Loads dropped DLL 1 IoCs

pid	Process
780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe"	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Users\Public\desktop.ini	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 780 set thread context of 1068	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	31

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHLTS.DLL	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPEDITOR.DLL	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.Adapter.dll	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Restore-My-Files.txt	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Installed_schemas14.xss	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\VSTAProjectUI.dll	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialMergeLetter.dotx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeFax.Dotx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\EquityFax.Dotx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Contacts.accdt	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CDLMSO.DLL	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EntityPicker.dll	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryLetter.dotx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ClassicPhotoAlbum.potx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginReport.Dotx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EMABLT32.DLL	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ENVELOPE.DLL	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File created	C:\Program Files (x86)\MSBuild\Restore-My-Files.txt	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyResume.dotx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.JPG	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.JPG	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CGMIMP32.HLP	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKExcel.dll	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Text.zip	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Class.zip	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceqp35.dll	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Restore-My-Files.txt	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadata.xsd	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CSS7DATA000A.DLL	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieNewsletter.dotx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BloodPressureTracker.xltx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Start End Dates.accft	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianReport.Dotx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHSAPIFE.DLL	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEAWSDC.DLL	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Restore-My-Files.txt	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryNewsletter.dotx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Northwind.accdt	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Students.accdt	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Top.accdt	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.SqlServerCe.dll	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginLetter.Dotx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\SalesReport.xltx	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\007790F6561DAD89B0BCD85585762495E358F8A5	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\SystemCertificates\CA\Certificates\007790F6561DAD89B0BCD85585762495E358F8A5\Blob = 030000000100000014000000007790f6561dad89b0bcd85585762495e358f8a5140000000100000014000000963b53f0793397af7d83ef2e2bcccab7861e7266040000000100000010000000197460a709d4f4c8fac4b9e3322054340f0000000100000020000000a08e79c386083d875014c409c13d144e0a24386132980df11ff59737c8489eb11900000001000000100000008c94d3a163ad461aff343c0b830a90ce180000000100000010000000d8b5fb368468620275d142ffd2aade374b0000000100000044000000430034003600450037004200300046003900340032003600360033004100310045004400430038004400390044003600440037003800360039003100370033005f00000020000000010000005d0500003082055930820441a00302010202103d78d7f9764960b2617df4f01eca862a300d06092a864886f70d01010b05003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3133313231303030303030305a170d3233313230393233353935395a307f310b3009060355040613025553311d301b060355040a131453796d616e74656320436f72706f726174696f6e311f301d060355040b131653796d616e746563205472757374204e6574776f726b3130302e0603550403132753796d616e74656320436c61737320332053484132353620436f6465205369676e696e6720434130820122300d06092a864886f70d01010105000382010f003082010a028201010097831e0016af2cb1d208c4d7689351601e71f6e247b4db584d23626ab4bf5a1b51f7a30d187768bbd836ab2f2150da9ef3e75f274e0bc297c8097093a9da5c0d4ea40d91a0b4ec14ce9172542ecea3db44e9521b3f413cca4ae4aac0e839ab53cc21d0cccf7f9be6c2cc586a8215ee3d36cf1cc59707248ef17bbe312d3d6edcb599429f4b61955f1c70ee177ddb8be5618978c7681baf11781a98aec4554753d9b332d6a10e4640c597928ad153a7995b853557d3ea936261200ac7307724114d6283b6ba7b688231ee65cadff9d58db235dc8c2b6f6a725c60849cf20c945ec056520048ccd3f8a57dde2fd713e438a884d546b81386c21b9dea5a38dd9bdb0203010001a38201833082017f302f06082b0601050507010104233021301f06082b060105050730018613687474703a2f2f73322e73796d63622e636f6d30120603551d130101ff040830060101ff020100306c0603551d20046530633061060b6086480186f845010717033052302606082b06010505070201161a687474703a2f2f7777772e73796d617574682e636f6d2f637073302806082b06010505070202301c1a1a687474703a2f2f7777772e73796d617574682e636f6d2f72706130300603551d1f042930273025a023a021861f687474703a2f2f73312e73796d63622e636f6d2f706361332d67352e63726c301d0603551d250416301406082b0601050507030206082b06010505070303300e0603551d0f0101ff04040302010630290603551d1104223020a41e301c311a30180603550403131153796d616e746563504b492d312d353637301d0603551d0e04160414963b53f0793397af7d83ef2e2bcccab7861e7266301f0603551d230418301680147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d01010b0500038201010013851a1e69a937f7a0bda4af7e1d6153fe9d8c5e0ca6751e781723ddfdec1a035539fb7195c7655aa78e30d2445a61db706fda2105c22e73ba49f1d193fe5dc9cd5e03e0899e3f741ed7f7388ba9d6cfbb352f3358a89256d1c84d3b82e6798416fc28b0b147f31da23eee87d9a67fa456a53fad842e29de7cbca8aaa33d0401eaba93a20e502229174c87e43a115fd6a425899b056b2fb4c9014c277b0bac190522a060153fdac9fb4d4c8ffb726777fd2794c7ba350e8849fe8dfd28af4a12bd0db39705de440c15fa362b03dcc15001f1a1115d14e5e2bd274b54be2b845e0fa6c374050aef97c38922b11f77f3bdcd43d4f14ca93fb58b84af64f2d01421	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe\:Zone.Identifier:$DATA	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
File created	C:\Users\Admin\AppData\Local\Temp\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2016	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	27
PID 780 wrote to memory of 2016	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	27
PID 780 wrote to memory of 2016	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	27
PID 780 wrote to memory of 2016	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	27
PID 780 wrote to memory of 268	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	29
PID 780 wrote to memory of 268	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	29
PID 780 wrote to memory of 268	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	29
PID 780 wrote to memory of 268	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	29
PID 780 wrote to memory of 1068	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	31
PID 780 wrote to memory of 1068	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	31
PID 780 wrote to memory of 1068	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	31
PID 780 wrote to memory of 1068	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	31
PID 780 wrote to memory of 1068	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	31
PID 780 wrote to memory of 1068	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	31
PID 780 wrote to memory of 1068	780	215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe	31

C:\Users\Admin\AppData\Local\Temp\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
"C:\Users\Admin\AppData\Local\Temp\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:2016
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:268
- C:\Users\Admin\AppData\Local\Temp\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe
  "C:\Users\Admin\AppData\Local\Temp\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - NTFS ADS
  PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe

Filesize
256KB

MD5
18110f51034492e14fc11dc9afa19d46

SHA1
efa6ac306cbb3dcea1d4082bc17feb6e17957e4b

SHA256
215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf

SHA512
5c6cc348f4d64b561aab2bdce05d9b5c71907044562c6950c480d37b7691ace9f3d9ca74e64971d77e46bb009cc1c7566a92f58443af0b65811c94d210965594

Download Submit
\Users\Admin\AppData\Local\Temp\215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf.exe

Filesize
256KB

MD5
18110f51034492e14fc11dc9afa19d46

SHA1
efa6ac306cbb3dcea1d4082bc17feb6e17957e4b

SHA256
215afd5082700778508aef3e9d40b242206dab74801a1d13d3a59dbb1168dfbf

SHA512
5c6cc348f4d64b561aab2bdce05d9b5c71907044562c6950c480d37b7691ace9f3d9ca74e64971d77e46bb009cc1c7566a92f58443af0b65811c94d210965594

Download Submit
memory/780-58-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/780-54-0x0000000000B70000-0x0000000000BB4000-memory.dmp

Filesize
272KB

Download
memory/780-60-0x0000000004290000-0x000000000429C000-memory.dmp

Filesize
48KB

Download
memory/780-61-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/780-56-0x00000000004B0000-0x00000000004DA000-memory.dmp

Filesize
168KB

Download
memory/780-55-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/1068-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1068-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1068-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1068-71-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1068-72-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads