Overview

overview

10

Static

static

2864449649...7e.exe

windows7_x64

10

2864449649...7e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    180s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe

  • Size

    106KB

  • MD5

    0734b966a27e64eaeff718b18e469f6e

  • SHA1

    8214a6f9ac0c5c4ad4830b6829f2811a2dcfefe0

  • SHA256

    28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e

  • SHA512

    8a8c46890516e3e34be1de04a24720af96c217c472e133568b7220a191bab5560a9008aeb3d2c9239634295896ef237502c92cbe1fcfc51c76ce0adfbe73e063

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://alcx6zctcmhmn3kx.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 2 file for free decryption. ------------------------------------------------------------ alternate address - http://dtutgqjuzv7sktgl.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������78 43 92 27 FF C1 2F E4 81 AB 69 E2 2D E5 7E AD 99 4F 6E 3B 6F B4 05 65 43 EE 86 3F 2B 9F CB 54 79 9D 95 B8 0D 88 EB B1 DC 68 31 35 8C 25 88 A9 0B 50 A9 5B A3 9B F2 F8 A9 1D 8E 87 0C A3 78 5D 7B F2 54 2B C5 AC B4 15 6B CB FA F8 8D DE EB AB 14 0C 1B 6C 06 1B FC 9B EC 7F E3 F7 A4 80 EF AC 0A A8 61 67 FF C3 52 83 CD D7 C8 58 29 03 62 79 53 CF E6 12 57 28 04 B2 10 AF A7 44 E9 8C 8E F6 47 81 59 79 8C A7 DD A1 B9 79 A9 17 FD CB 93 01 77 D6 51 CB 29 72 06 ED 99 27 EF 1E 45 DA 76 62 39 29 66 C4 93 E1 1D 0F D0 96 1D 6A 8C D3 34 87 37 F5 68 62 82 A1 78 78 8C F1 B4 17 F4 3F 85 8E ED 6F F8 96 86 72 28 A2 D1 CE C5 DC 18 FA C6 25 48 4A 79 9A 9D FE C8 FE 26 92 BD D6 96 46 88 F5 60 2F E8 8E 66 61 33 8B 44 96 0A C2 44 72 1B 23 88 6F 3E 17 E6 86 BD 93 D4 9A 8F AA 2D E5 DF 44 ###�������������
URLs

http://alcx6zctcmhmn3kx.onion/

http://dtutgqjuzv7sktgl.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe
    "C:\Users\Admin\AppData\Local\Temp\28644496493462629e22aeebb030e2536dbdaccdaee4dd782106f3b5099e897e.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:3700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3700-130-0x0000000000B70000-0x0000000000B83000-memory.dmp

    Filesize

    76KB

    Download

  • memory/3700-131-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3700-132-0x0000000000B70000-0x0000000000B83000-memory.dmp

    Filesize

    76KB

    Download