Analysis
-
max time kernel
172s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 02:09
Static task
static1
Behavioral task
behavioral1
Sample
bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe
Resource
win10v2004-20220414-en
General
-
Target
bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe
-
Size
552KB
-
MD5
f864a5f13e37bab86d97343b4d16ea59
-
SHA1
d068383fecb14f38b58ba76a79d6cd8ea616cadd
-
SHA256
bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3
-
SHA512
58ea72ffeef34ec3699e55ab0fa049709c184a4d13710c910ed089e0bbf75637fc54d5a59aa92e9b52478b8f2220fe514a28c7d5e029ed197b5c753b81671b3b
Malware Config
Extracted
C:\Restore-My-Files.txt
http://decrmbgpvh6kvmti.onion/
http://helpinfh6vj47ift.onion/
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConfirmInvoke.raw => C:\Users\Admin\Pictures\ConfirmInvoke.raw.DOCM bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File renamed C:\Users\Admin\Pictures\SendUndo.png => C:\Users\Admin\Pictures\SendUndo.png.DOCM bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File renamed C:\Users\Admin\Pictures\CompareRedo.crw => C:\Users\Admin\Pictures\CompareRedo.crw.DOCM bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File renamed C:\Users\Admin\Pictures\ConvertToExpand.tif => C:\Users\Admin\Pictures\ConvertToExpand.tif.DOCM bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File renamed C:\Users\Admin\Pictures\DisableLimit.png => C:\Users\Admin\Pictures\DisableLimit.png.DOCM bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File renamed C:\Users\Admin\Pictures\PopSwitch.tif => C:\Users\Admin\Pictures\PopSwitch.tif.DOCM bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File renamed C:\Users\Admin\Pictures\SendReceive.png => C:\Users\Admin\Pictures\SendReceive.png.DOCM bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Pictures\AddDismount.tiff bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File renamed C:\Users\Admin\Pictures\AddDismount.tiff => C:\Users\Admin\Pictures\AddDismount.tiff.DOCM bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File renamed C:\Users\Admin\Pictures\BackupSearch.tif => C:\Users\Admin\Pictures\BackupSearch.tif.DOCM bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe" bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe -
Drops desktop.ini file(s) 24 IoCs
description ioc Process File opened for modification C:\Users\Public\Libraries\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Videos\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Links\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Documents\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Public\Desktop\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Searches\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Music\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Public\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Public\Videos\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Public\Pictures\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Public\Documents\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Public\Music\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Public\Downloads\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4740 set thread context of 4988 4740 bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe 79 -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4740 bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4740 wrote to memory of 4988 4740 bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe 79 PID 4740 wrote to memory of 4988 4740 bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe 79 PID 4740 wrote to memory of 4988 4740 bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe"C:\Users\Admin\AppData\Local\Temp\bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exeC:\Users\Admin\AppData\Local\Temp\bffc07c822218280045b3de30a010b16e7dc3e8e24b66eafa502d2d1b09bd7d3.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
PID:4988
-