Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 07:03
Static task
static1
Behavioral task
behavioral1
Sample
410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe
Resource
win10v2004-20220414-en
General
-
Target
410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe
-
Size
198KB
-
MD5
40b0769ba2e5d575cdd325b81ffd8792
-
SHA1
88793e0e6329cbfa02a7f6ad2f80a4d6fa01ff0f
-
SHA256
410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c
-
SHA512
3d68d9bfc9675e815eaa0ab149e9490cad69d1177c29d402e91a09bbef8a0655ed7cce7e241366f5540f81acf002c878d759bc12255ce73f70856a9f1f324012
Malware Config
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe" 410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1420 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exepid process 4260 410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe 4260 410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1420 taskkill.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exedescription pid process target process PID 4260 wrote to memory of 1420 4260 410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe taskkill.exe PID 4260 wrote to memory of 1420 4260 410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe taskkill.exe PID 4260 wrote to memory of 1420 4260 410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe"C:\Users\Admin\AppData\Local\Temp\410efb1938ab06cf29acbcd24a3eca81c5d6d0c84778997adad1b5f0ecfb455c.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /T /PID 42602⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1420
-