Overview

overview

10

Static

static

56b77a9c4d...33.exe

windows7-x64

10

56b77a9c4d...33.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    56b77a9c4d7a6359e9d813917c213dd40c571248bf040da37d76dd6227084033

  • Size

    224KB

  • Sample

    220725-ccl3zaabdr

  • MD5

    3a046235da60ec107f4daa600bd7f6ca

  • SHA1

    e07bf29a180c497224c798752b18bf7fcfc9ef3f

  • SHA256

    56b77a9c4d7a6359e9d813917c213dd40c571248bf040da37d76dd6227084033

  • SHA512

    6b2b40a600b5c5f1056e1b1b9750dd5375a39a0c7030fa5a1fad1584920c2be46427e6ec541eab6a1fdd9f8c604e83ee004fc630d4a23b93f8e1b2d5fcdd5e87

Score
10/10
globeimposterlockbitpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������01 6E 79 CA 17 76 B2 8B A5 03 61 19 EC 82 E9 B1 FA 2B 0D 46 9D E7 2C CF 2B 88 3D 96 D0 D9 36 52 74 CE 3C 12 A5 34 E0 B3 AC 04 62 E5 31 5D BB 0E 51 85 07 4C B8 C3 B4 86 4F CA 71 71 6D DB 9D E9 5B AB 68 E6 0B 7A 76 60 D2 B4 61 EE 9C 53 DB 99 FB 61 70 86 02 08 0B BE 35 B7 73 43 16 BA 7D FE 9A 0B DB A3 2E 75 1A 39 EF 7A 55 65 53 FC 14 32 42 B7 11 E0 C2 98 DF 3F C4 4D 90 FA 28 DA D3 D5 7F 67 77 89 12 77 2A 6E EC 2B DE 0C 4C F3 3A E3 8F CD 70 B0 DA 78 1E D5 04 C3 DF 32 11 60 B2 AC E9 F3 34 6A E3 CE 11 F2 9A 11 13 2E 47 DA 3A 70 18 3F 1F 90 35 AE 94 28 C2 F3 FE B5 55 24 FF 67 D2 23 29 5B 72 04 D0 CC 67 C9 F0 BD AA 47 21 5E A5 CB DA 82 85 DA 7D D9 79 22 6E CD 0A EF AA 26 D7 3E 34 B0 91 78 5B CA 5B D9 40 D9 88 98 A1 32 7D 03 15 13 41 58 55 B9 75 9E E9 38 6C C1 86 20 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������69 E1 DB F5 0A 77 33 EF 7E 5C 1F 27 AD 2D 23 D8 F6 F7 5E 40 35 98 FC 50 71 BF EA 2F F6 D8 25 45 5F 64 28 DD BE 66 25 02 93 76 AE 1F 0B 1F D7 1A B7 9B 6F 98 63 98 62 A9 EB 4D FB 50 8E 9C 90 D3 58 96 48 D4 88 C1 06 FA 3A 9B 98 2E 5C C5 6E 83 E5 EB 02 F6 69 5F 57 39 1D CB 38 CD D6 DE 6A F3 C7 BD 86 1C 7D EB 11 23 D6 BB 55 F7 57 41 55 52 92 56 73 79 6B CF D9 18 59 12 04 48 C9 CF 78 81 A8 8E D7 60 91 FC 68 EC A1 BF 90 24 CA FC 39 E5 DE 5D 8F D3 18 71 BB AD 23 25 04 C2 EB 1A F9 BF DB AD CF C4 FC 3A 0C CE A5 96 4C CF 6D F8 C7 40 95 7D 6A A0 78 70 EA 33 80 1C 18 AE 3D 5B 08 EA A9 D0 8C 9A 98 02 3C 38 7C F8 09 7A C8 08 CD 6B F3 29 3E 23 95 91 5A AA 00 20 1B 08 F8 91 28 32 EC CE 6F 13 62 A0 57 F3 5E FF F2 36 44 73 AD 5E 67 AE A9 4A 32 AB 82 EA D1 64 07 6A F2 2B D0 F2 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Targets

    • Target

      56b77a9c4d7a6359e9d813917c213dd40c571248bf040da37d76dd6227084033

    • Size

      224KB

    • MD5

      3a046235da60ec107f4daa600bd7f6ca

    • SHA1

      e07bf29a180c497224c798752b18bf7fcfc9ef3f

    • SHA256

      56b77a9c4d7a6359e9d813917c213dd40c571248bf040da37d76dd6227084033

    • SHA512

      6b2b40a600b5c5f1056e1b1b9750dd5375a39a0c7030fa5a1fad1584920c2be46427e6ec541eab6a1fdd9f8c604e83ee004fc630d4a23b93f8e1b2d5fcdd5e87

    Score
    10/10
    globeimposterlockbitpersistenceransomwarespywarestealer

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Lockbit

      Ransomware family with multiple variants released since late 2019.

      ransomwarelockbit

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks