Overview

overview

10

Static

static

bffc07c822...d3.exe

windows7_x64

10

bffc07c822...d3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    166s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-06-2022 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe

  • Size

    552KB

  • MD5

    f864a5f13e37bab86d97343b4d16ea59

  • SHA1

    d068383fecb14f38b58ba76a79d6cd8ea616cadd

  • SHA256

    bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3

  • SHA512

    58ea72ffeef34ec3699e55ab0fa049709c184a4d13710c910ed089e0bbf75637fc54d5a59aa92e9b52478b8f2220fe514a28c7d5e029ed197b5c753b81671b3b

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������4C 6E 7A 81 2A 2B 2B 9C 25 ED 33 76 B6 A5 3E B6 8E 2C 44 5F 12 9F B9 E6 6C 13 0F 3D 34 D4 B4 3B 99 10 BD 14 E8 D9 0C 47 D7 34 14 70 BF 37 AF BD FA 2E AB A2 B8 CE B0 F3 2B C0 3D 3D 2B 72 0E 54 6D 53 4D 5D 1C 66 A6 7E EC 0F 56 FF 8B 13 8C BF 7E CD 00 AF 40 B2 22 47 65 07 02 21 82 63 7A D4 45 A7 52 C9 F3 BC 15 5C 85 F8 B0 AD F8 1F 1F 0C 93 A1 D4 80 8E 92 F5 6C 57 45 66 40 0C DB 33 88 5D 45 78 85 8D 02 BA 44 41 ED EC 0A 7D E6 9B 1F BF 3D 04 25 37 03 B4 2A 89 0E FF 26 15 79 EA E4 B7 E1 92 DD E6 B7 A5 CA 56 EE 00 03 DE F9 AC B5 D8 4B 65 A9 7F 8E 3D 60 B6 DC 4A A5 AE DE 9F 31 79 50 0C 69 4A 0F 8D F7 62 B1 64 AF 05 11 18 F8 8C CA 00 BA 46 6B 67 68 DC BA AA 93 0F 2C 61 B8 FB 80 19 D3 C8 76 27 60 71 96 E6 D4 18 CC 77 0A AD 2B FE ED AE 47 F7 37 C3 C7 33 A9 5B 6D A8 D1 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 26 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe
    "C:\Users\Admin\AppData\Local\Temp\bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\AppData\Local\Temp\bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe
      C:\Users\Admin\AppData\Local\Temp\bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      PID:2020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1616-56-0x0000000000280000-0x0000000000287000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1616-57-0x00000000753B1000-0x00000000753B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1616-59-0x0000000000280000-0x0000000000287000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1616-60-0x0000000077520000-0x00000000776C9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1616-61-0x0000000077700000-0x0000000077880000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2020-63-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2020-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2020-65-0x0000000077520000-0x00000000776C9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2020-66-0x0000000077700000-0x0000000077880000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2020-67-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/2020-68-0x0000000000220000-0x0000000000227000-memory.dmp

    Filesize

    28KB

    Download