Analysis

  • max time kernel
    91s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-07-2022 07:03

General

  • Target

    410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe

  • Size

    198KB

  • MD5

    40b0769ba2e5d575cdd325b81ffd8792

  • SHA1

    88793e0e6329cbfa02a7f6ad2f80a4d6fa01ff0f

  • SHA256

    410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c

  • SHA512

    3d68d9bfc9675e815eaa0ab149e9490cad69d1177c29d402e91a09bbef8a0655ed7cce7e241366f5540f81acf002c878d759bc12255ce73f70856a9f1f324012

Malware Config

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe
    "C:\Users\Admin\AppData\Local\Temp\410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4260
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /T /PID 4260
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1420

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1420-130-0x0000000000000000-mapping.dmp

  • memory/4260-131-0x000000000087E000-0x0000000000888000-memory.dmp

    Filesize

    40KB

  • memory/4260-132-0x0000000000400000-0x0000000000534000-memory.dmp

    Filesize

    1.2MB

  • memory/4260-133-0x000000000087E000-0x0000000000888000-memory.dmp

    Filesize

    40KB