Overview

overview

10

Static

static

501a58b5cd...f6.exe

windows7-x64

10

501a58b5cd...f6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6

  • Size

    245KB

  • Sample

    220719-q65ztsdbd7

  • MD5

    e23a3bf2498683509a5f043d8d15dde6

  • SHA1

    412d5c51f08bc8338c2455c3041cab5959d5cc69

  • SHA256

    501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6

  • SHA512

    4d1069d86f795369048f349fa5756d93d443f635e166974d2137d846ff2a6eef833d8f7cf31fa1a8dfeae557334c4d010574e604d4ed99163ac7b37827c6ac4b

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������6C D9 DF 15 3A C4 37 0C 1A 77 9F 6F F4 E4 CE 3E A8 57 C1 31 40 87 38 A5 C5 4D C2 BF FD D7 16 4F BD 8A A6 F0 1B F6 C2 3A 61 BA 50 15 DE B3 DE 90 E5 32 49 CF 24 4C EC 6B 90 94 33 E8 ED C4 61 83 10 42 CB 06 7F 5F 33 AF 04 4E 44 84 53 19 2E A7 45 AB 4B 92 6E BA 8B D4 AD 49 97 54 2F 31 B2 2F 3E 01 9C A1 09 69 8C 17 21 25 3B 51 9F ED 1F 40 79 41 41 BF B7 9D AA 98 13 FA 21 D7 00 2B 39 DD 92 94 F0 64 00 A0 34 9F 02 B7 9C 04 0E DC 8E C5 EF F8 88 DF EF BC 6D A8 9B FA D8 92 EF 0F 13 6D D1 E9 87 92 04 CF 9B 38 9C 4F F9 4B 71 08 31 67 7D 61 C5 65 01 C9 20 A3 28 2D DE 2C 30 9D 24 3A FF FA E5 CF 99 FC 84 5F 19 78 5D 27 A2 14 FD 89 46 18 55 2D B1 8C C2 02 4B 63 6A 57 E8 A3 71 56 34 3E CD 49 BD 7B 5C 16 94 52 7E A5 9F 23 77 78 7D 3D 95 24 EE D1 0B 45 6A 14 23 6E 7E 3A 47 C4 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������9B 0F BE AD F9 62 83 33 41 B5 E6 3C E2 4D 45 A5 BF 07 18 4A 8C 8A A6 07 3C EC 9B 63 A6 8A E0 08 18 F7 B4 7F 49 BE F4 BD 16 77 FF 82 1E AF D2 A1 92 D6 48 77 0C 06 58 C7 48 1F B0 D7 66 75 F7 94 98 4E 69 56 E3 3E C5 8E CD 42 1A BA EC 76 7E B2 DF E3 A9 98 C2 92 DD 5D 7A 72 AC 4C 8C 19 8D 1A F9 D5 D8 C7 B5 7C 67 A0 FA 66 89 8B 4A FF 74 23 22 A4 0D 2F F9 6F F8 21 AB D1 BA 8C 2C 48 80 05 FA F1 2D 13 8A DD EA 32 4C C6 A1 E6 52 CE FF EE 6B 2D 2B 30 C4 75 87 C5 01 02 60 FC 74 CF 6E FE F7 FB C5 54 CB 05 5F 59 32 7E 8E 62 4F 2B 7D C2 CF EC 8A 04 D3 D4 F3 23 1A 2A 4E F7 AA 54 45 B7 67 70 8E B7 89 F9 8C 83 6C B6 A0 3B 71 88 2E DC 90 D4 B6 07 5F 1F 73 22 65 85 4A 01 78 BE D3 DD C6 12 00 97 01 AD EB 9A BB 48 36 FE 23 19 C1 C7 AF 7D 73 C2 EC C9 65 EC 6A CD 72 0C 40 09 C2 59 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6

    • Size

      245KB

    • MD5

      e23a3bf2498683509a5f043d8d15dde6

    • SHA1

      412d5c51f08bc8338c2455c3041cab5959d5cc69

    • SHA256

      501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6

    • SHA512

      4d1069d86f795369048f349fa5756d93d443f635e166974d2137d846ff2a6eef833d8f7cf31fa1a8dfeae557334c4d010574e604d4ed99163ac7b37827c6ac4b

    Score
    10/10
    globeimposterlockbitpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks