Overview

overview

10

Static

static

5c1d83ab58...19.exe

windows7-x64

10

5c1d83ab58...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    174s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2022 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c1d83ab5883129f137ee29c9353a316184243828c2ac79b0c6f6997cff19919.exe

  • Size

    564KB

  • MD5

    e3c7ad2aa9fb8627409137f52a0e0980

  • SHA1

    2a3160aeb85904ff5cc52242b9553d3f9198ec92

  • SHA256

    5c1d83ab5883129f137ee29c9353a316184243828c2ac79b0c6f6997cff19919

  • SHA512

    8890d121bc4599a1fd9a59c3e99b957340d94e75ffe22f12c302a62a32a5270579e59c51cc024352ee321b559f254b9ae95e07c47b3b1c7307a2331846ef62fc

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###�����������2B A3 79 34 87 A5 ED E8 51 42 4F BD 31 1E D7 6B 0F 1E 25 44 AC F2 49 AA 24 84 3D 80 D5 9C 44 EE F7 4C A9 0F E7 C1 36 5C 62 18 08 F7 AA 95 7B E4 59 A5 FF 1C B7 03 FC 29 70 97 F8 0D 44 CE C6 AC D3 71 8D DD 48 1A 6D 1D 29 C1 3A 8C 4C A7 53 92 CB B3 D1 73 B4 72 C3 F8 17 26 33 7C 89 83 BE 4F 15 72 C4 0C 71 E0 8F 99 3A 85 DE 0D B8 F7 7E A3 3F A4 69 8C A6 32 69 1B 41 17 7E FE 76 5C 8E FB 92 EC 6B DC B2 00 DA CA 38 20 CF 7A E8 59 15 CB 8B D6 8F 2E BA 84 3E 6D 25 47 00 98 87 16 F5 09 74 90 3F E6 13 B8 02 59 83 EA F3 6E CC 5D 31 2A 4C 4A 6E 80 8B 3D E2 83 14 0D 96 B6 0D B4 48 8F E0 68 51 09 B1 69 37 04 7D 5D FE D9 DD DA 57 CA 02 E7 6F B6 76 52 74 1B 93 B4 36 44 70 AC CE 97 32 C1 78 72 18 31 22 DD E6 54 A8 7D DC C9 2B AE 69 DE 39 47 39 3D EF 12 A2 63 8C 82 7E 9D 7A D7 ###�������������
URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 27 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c1d83ab5883129f137ee29c9353a316184243828c2ac79b0c6f6997cff19919.exe
    "C:\Users\Admin\AppData\Local\Temp\5c1d83ab5883129f137ee29c9353a316184243828c2ac79b0c6f6997cff19919.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Local\Temp\5c1d83ab5883129f137ee29c9353a316184243828c2ac79b0c6f6997cff19919.exe
      C:\Users\Admin\AppData\Local\Temp\5c1d83ab5883129f137ee29c9353a316184243828c2ac79b0c6f6997cff19919.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      PID:828

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/540-61-0x00000000777C0000-0x0000000077940000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/540-57-0x0000000076291000-0x0000000076293000-memory.dmp

    Filesize

    8KB

    Download

  • memory/540-59-0x00000000003F0000-0x00000000003F7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/540-56-0x00000000003F0000-0x00000000003F7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/540-60-0x00000000775E0000-0x0000000077789000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/828-63-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

    Download

  • memory/828-58-0x000000000047BC05-mapping.dmp

    Download

  • memory/828-64-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/828-65-0x00000000775E0000-0x0000000077789000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/828-66-0x00000000777C0000-0x0000000077940000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/828-67-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

    Download

  • memory/828-68-0x0000000000220000-0x0000000000227000-memory.dmp

    Filesize

    28KB

    Download

  • memory/828-69-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

    Download