Overview

overview

10

Static

static

2aee7ed6cc...88.exe

windows7_x64

10

2aee7ed6cc...88.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88

  • Size

    261KB

  • Sample

    220615-ehgrjsbgfk

  • MD5

    860b89a4138f744adbe41cee1de0848f

  • SHA1

    6367510a18f07252168ebdd7029f0e6cde919b8c

  • SHA256

    2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88

  • SHA512

    ed651840d87f8f5a79e2c9b57ae20f8d9e76dc14479cbbebd6f51b3f1ee95ecce70f791172f89c1d606a483c1f26bb247ade535d33e92211094931c80292ee2d

Score
10/10
globeimposterlockbitevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Restore-My-Files.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://alcx6zctcmhmn3kx.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELO ###s6dlsnhtjwbhr###ED56F6A208E3EB2###
URLs

http://alcx6zctcmhmn3kx.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88

    • Size

      261KB

    • MD5

      860b89a4138f744adbe41cee1de0848f

    • SHA1

      6367510a18f07252168ebdd7029f0e6cde919b8c

    • SHA256

      2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88

    • SHA512

      ed651840d87f8f5a79e2c9b57ae20f8d9e76dc14479cbbebd6f51b3f1ee95ecce70f791172f89c1d606a483c1f26bb247ade535d33e92211094931c80292ee2d

    Score
    10/10
    globeimposterlockbitevasionpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks