Overview

overview

10

Static

static

3d24fdfe25...b5.exe

windows7_x64

10

3d24fdfe25...b5.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5

  • Size

    230KB

  • Sample

    220703-en4hhagdg5

  • MD5

    9734cd0bc2ffc92b17ffa2dccaaedab1

  • SHA1

    c2c851d95135f86884cc99917503973c17995518

  • SHA256

    3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5

  • SHA512

    38b6391db917c6aa3ad2d834fd366d1b3874ee188fd0c7bb6ef96541d35325fea9e916fd64e822188d3ab4bbce9efaf844633c61a28833ecb7ca5ba211df0ccb

Score
10/10
globeimposterlockbitpersistenceransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������90 1E 31 EE FE F4 9C 9D 37 E8 7E DA 09 5F D2 68 BB 75 38 BC E9 96 BD E4 A7 B3 70 5F F0 0E 2C 3F 79 8F 7F 0E F8 DB 2A 4B 18 65 C4 64 D9 80 F1 13 69 66 51 6B 1C 5C A8 52 BD DB 47 99 7C 6E B1 5B 81 49 85 13 D9 30 E6 EC 0E F1 E7 DB 20 2D 30 60 5D 41 66 88 3C F6 EB 6D FE FF B8 42 49 ED 63 A0 4E A3 3C 22 BC BF 07 12 C7 2E 8D C9 A8 FA 36 A9 27 AE E0 8B 00 81 49 75 C6 F5 AF 78 DE 23 36 5E 4E 62 DF FD ED E3 F5 01 D0 41 27 C9 38 64 E2 80 B3 D2 A7 A7 FE 9A A6 22 7D 66 39 69 AC CF B7 FC 4E CD 14 FA 80 63 19 F5 2D FE 8E CA 7B 3B 02 B1 BD 96 24 21 AC 25 0A 86 B5 A6 56 1F E9 C9 35 E1 FF EF D8 8D 4A D7 07 9A BF 56 12 99 01 AE F7 A3 EB A5 BD 0A 7D 83 2E 27 6B 83 4F 87 A0 1F 16 5C AC 99 70 39 54 FE AA B7 28 D6 E6 74 17 C8 37 7C 7A 0B B6 28 92 59 27 79 5B 48 DA FE DA 7D 07 22 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������02 84 3E B3 C3 94 74 B6 A1 51 CF 5F C1 D5 65 58 0B 63 7A 9E B5 39 02 0E 46 93 26 3D 85 4F 48 E2 A6 50 A7 6F F0 00 9A 21 70 13 CE F9 27 DB A5 FC E4 99 16 A6 41 54 27 9B D8 73 3D BB 19 5B C5 29 A1 70 FE 28 36 4D 6F EB 72 84 53 85 7F 3C 39 53 5C AE E0 41 55 5E 9B CF 27 FE DB 76 E2 7C AA 5F 71 86 6C C6 53 AA A0 F3 DE CE EF B1 45 11 03 A2 77 62 2D 60 92 57 30 1B 25 6B DF 87 79 5B 30 16 52 86 5D A2 2E B6 54 3E 9C 7F 16 EB BE 3B A9 34 07 BA 93 85 E8 CC 25 74 31 31 B0 83 E2 C5 AA 98 25 02 1A DF D9 16 9F 46 B7 D2 E8 36 95 CF F9 68 36 7A 7C A3 3A 4D 26 DE 64 6A 35 F0 7E F3 60 A6 A5 81 3C 6A 41 4E D1 B5 74 37 0D EF EA 8B A1 4E 64 16 94 FF 01 F0 84 FF 2F 99 AD 60 DC DA CF 3E BB B7 2C F1 DB 04 5D 16 C3 A2 F2 58 D5 B4 CB BB C4 42 B5 03 31 C7 13 D4 D2 02 23 87 4B D5 30 B7 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5

    • Size

      230KB

    • MD5

      9734cd0bc2ffc92b17ffa2dccaaedab1

    • SHA1

      c2c851d95135f86884cc99917503973c17995518

    • SHA256

      3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5

    • SHA512

      38b6391db917c6aa3ad2d834fd366d1b3874ee188fd0c7bb6ef96541d35325fea9e916fd64e822188d3ab4bbce9efaf844633c61a28833ecb7ca5ba211df0ccb

    Score
    10/10
    globeimposterlockbitpersistenceransomware

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks