Overview

overview

10

Static

static

5cd02ef954...b2.exe

windows7-x64

10

5cd02ef954...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2022 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe

  • Size

    528KB

  • MD5

    22dce5b7daed8cfb14aa9e8e7eed1d2f

  • SHA1

    ad04ba678cdc09526804c6f2a6341b221c9ac73f

  • SHA256

    5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2

  • SHA512

    64cd8f6c65f31e8a6e7db7a9dbb892f36b553ccdf7f4327f06148fd93fc2e50228351b99318daf2512aa00d901791d1b3c997d291a17ade5eb2ffaf224069f09

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������04 74 7E EA 7A 8B 82 F5 32 A3 0A 17 4F 69 07 A2 87 41 5D 24 78 9F 30 08 AB FE F6 66 A3 60 5A 00 FC 39 C9 A6 05 F8 92 21 3C 7C 9C 46 D7 13 7D 1A 72 B1 33 43 FB 1B EE 0D 8B FB 47 46 7B 19 CA FC E9 70 48 D0 3A B2 C8 33 B7 63 68 BB 5A D3 E4 C4 48 3B 01 A2 5E 31 17 67 73 B8 81 21 00 8B 69 35 B0 7E D8 74 15 EC F3 38 A6 B3 CE 66 9D 6D 94 50 45 9E 3B C7 98 F0 D8 D6 7D 8D 11 FA 38 22 FB 5C 53 67 3A BF 41 08 9E 79 13 E6 A4 5D 30 FC 31 CE 65 A6 FF 3E 21 DB FB DD 78 65 41 D9 B0 69 D5 70 D7 8B 62 E3 B7 6D 24 BA 83 CC 8C 41 F6 D2 9B 3D B0 5B 2E 2D 77 53 7F 1F 5F F4 29 8D 09 0D 9C D6 DD F6 B3 60 54 A5 0B 6D 49 D4 43 C2 C5 00 B2 20 B1 06 49 76 24 74 15 4E 6A B9 BD 64 87 00 A5 16 13 EF D6 FE 2E BF 60 EE 82 30 62 8D D2 45 48 63 15 FD 9B 65 6D 2E 43 D9 2F 03 E8 A7 F4 E5 CA D8 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 27 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
    "C:\Users\Admin\AppData\Local\Temp\5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
      C:\Users\Admin\AppData\Local\Temp\5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      PID:948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/948-63-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/948-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/948-65-0x0000000077440000-0x00000000775E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/948-66-0x0000000077620000-0x00000000777A0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/948-67-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/948-68-0x0000000000220000-0x0000000000227000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1620-56-0x00000000002C0000-0x00000000002C7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1620-57-0x0000000075A61000-0x0000000075A63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1620-60-0x0000000077440000-0x00000000775E9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1620-59-0x00000000002C0000-0x00000000002C7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1620-61-0x0000000077620000-0x00000000777A0000-memory.dmp

    Filesize

    1.5MB

    Download