Overview

overview

10

Static

static

90f277b97d...91.exe

windows7-x64

10

90f277b97d...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2022 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90f277b97d30399367a7e56551bbf2135c4968ade64100863095dc7031f34c91.exe

  • Size

    276KB

  • MD5

    0f98b7b43ab1b3e2a957c5361fc403cd

  • SHA1

    6afc0ae820991afcf9d6eeab0cbb68378b2f8d00

  • SHA256

    90f277b97d30399367a7e56551bbf2135c4968ade64100863095dc7031f34c91

  • SHA512

    f56b1fbf9ec6c63807882166fd8845ba4660eb16403706d4d0b3c4ee3de8a86549771e516d017058da9a023f787b997855733b975ad98569975655d92101ffb3

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������1F 21 DD 2A 46 26 C2 ED B5 B8 1A 8D 43 7C 5E 82 C0 6C 49 8C 6B 9D E2 28 66 37 A0 73 7B 6A 89 5E 6B 13 79 6D FA 4F 8D D6 2B 58 34 B8 A5 66 1F 37 E2 0F 28 FF 5D 54 1B B6 53 FF 58 38 26 36 52 2C F4 59 D3 DC 06 4F 56 DC 89 DB 6B F5 84 A8 72 88 2C 07 56 D5 82 22 07 19 AB 8B 4F D7 E0 DB 3A A4 A4 6D CE EF DB C2 2C 89 07 BE D6 6F CA AF 14 DE A3 CB ED 28 35 AF ED E7 56 6B 23 56 2D 65 BB 6E D1 BD D1 26 F4 7B 03 8B A0 55 3F 3E 58 FE A6 E9 4E 46 2B 26 C5 A8 EE B0 46 CE 8F 16 30 1F 65 3F D0 C6 C6 B3 85 03 67 60 CA 8B 21 2D EC 0E 6C 8E FF DA F6 7C 96 D9 B9 62 E3 36 C9 D0 66 41 40 7A B5 2C 18 9D 0A C2 BB BE FA 5A F1 B8 C7 1F CC F3 F5 5C AB 1C 8D 59 6F 7C 12 B4 07 98 89 E7 D4 3C 5C C3 C1 A0 71 96 82 5F B6 94 59 99 60 76 BA 4C 67 A1 3E 24 2A 71 04 C8 69 BB 8D 31 01 39 FD 04 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Lockbit

    Ransomware family with multiple variants released since late 2019.

    ransomwarelockbit
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 26 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90f277b97d30399367a7e56551bbf2135c4968ade64100863095dc7031f34c91.exe
    "C:\Users\Admin\AppData\Local\Temp\90f277b97d30399367a7e56551bbf2135c4968ade64100863095dc7031f34c91.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\90f277b97d30399367a7e56551bbf2135c4968ade64100863095dc7031f34c91.exe
      "C:\Users\Admin\AppData\Local\Temp\90f277b97d30399367a7e56551bbf2135c4968ade64100863095dc7031f34c91.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      PID:1564

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1564-55-0x0000000000409F20-mapping.dmp

    Download

  • memory/1564-56-0x0000000075241000-0x0000000075243000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1564-58-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1672-54-0x0000000000970000-0x00000000009BA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1672-57-0x0000000000970000-0x00000000009BA000-memory.dmp

    Filesize

    296KB

    Download