Overview

overview

10

Static

static

501a58b5cd...f6.exe

windows7-x64

10

501a58b5cd...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2022 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6.exe

  • Size

    245KB

  • MD5

    e23a3bf2498683509a5f043d8d15dde6

  • SHA1

    412d5c51f08bc8338c2455c3041cab5959d5cc69

  • SHA256

    501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6

  • SHA512

    4d1069d86f795369048f349fa5756d93d443f635e166974d2137d846ff2a6eef833d8f7cf31fa1a8dfeae557334c4d010574e604d4ed99163ac7b37827c6ac4b

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������6C D9 DF 15 3A C4 37 0C 1A 77 9F 6F F4 E4 CE 3E A8 57 C1 31 40 87 38 A5 C5 4D C2 BF FD D7 16 4F BD 8A A6 F0 1B F6 C2 3A 61 BA 50 15 DE B3 DE 90 E5 32 49 CF 24 4C EC 6B 90 94 33 E8 ED C4 61 83 10 42 CB 06 7F 5F 33 AF 04 4E 44 84 53 19 2E A7 45 AB 4B 92 6E BA 8B D4 AD 49 97 54 2F 31 B2 2F 3E 01 9C A1 09 69 8C 17 21 25 3B 51 9F ED 1F 40 79 41 41 BF B7 9D AA 98 13 FA 21 D7 00 2B 39 DD 92 94 F0 64 00 A0 34 9F 02 B7 9C 04 0E DC 8E C5 EF F8 88 DF EF BC 6D A8 9B FA D8 92 EF 0F 13 6D D1 E9 87 92 04 CF 9B 38 9C 4F F9 4B 71 08 31 67 7D 61 C5 65 01 C9 20 A3 28 2D DE 2C 30 9D 24 3A FF FA E5 CF 99 FC 84 5F 19 78 5D 27 A2 14 FD 89 46 18 55 2D B1 8C C2 02 4B 63 6A 57 E8 A3 71 56 34 3E CD 49 BD 7B 5C 16 94 52 7E A5 9F 23 77 78 7D 3D 95 24 EE D1 0B 45 6A 14 23 6E 7E 3A 47 C4 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 27 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NTFS ADS 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6.exe
    "C:\Users\Admin\AppData\Local\Temp\501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:600
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:1240
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6.exe:Zone.Identifier"
      2⤵
      • NTFS ADS
      PID:1204
    • C:\Users\Admin\AppData\Local\Temp\501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6.exe
      "C:\Users\Admin\AppData\Local\Temp\501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • NTFS ADS
      PID:1904

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6.exe
    Filesize

    245KB

    MD5

    e23a3bf2498683509a5f043d8d15dde6

    SHA1

    412d5c51f08bc8338c2455c3041cab5959d5cc69

    SHA256

    501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6

    SHA512

    4d1069d86f795369048f349fa5756d93d443f635e166974d2137d846ff2a6eef833d8f7cf31fa1a8dfeae557334c4d010574e604d4ed99163ac7b37827c6ac4b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6.exe
    Filesize

    245KB

    MD5

    e23a3bf2498683509a5f043d8d15dde6

    SHA1

    412d5c51f08bc8338c2455c3041cab5959d5cc69

    SHA256

    501a58b5cd80e20474050c16383dadcf552e402005506da2046fa9f164dde9f6

    SHA512

    4d1069d86f795369048f349fa5756d93d443f635e166974d2137d846ff2a6eef833d8f7cf31fa1a8dfeae557334c4d010574e604d4ed99163ac7b37827c6ac4b

    Download Submit

  • memory/600-55-0x00000000756B1000-0x00000000756B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/600-58-0x0000000000EB0000-0x0000000000EB8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/600-60-0x0000000000F00000-0x0000000000F0C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/600-56-0x0000000000940000-0x000000000096A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/600-54-0x00000000012A0000-0x00000000012E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/600-61-0x0000000000A40000-0x0000000000A4C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1904-63-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1904-66-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1904-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1904-71-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1904-72-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download