Resubmissions

18-08-2022 13:44

220818-q18hrsaca7 10

30-03-2022 09:01

220330-ky21bafbdq 10

Analysis

  • max time kernel
    153s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-08-2022 13:44

General

  • Target

    bomani2.exe

  • Size

    56KB

  • MD5

    cadf573e4ca120639a1e5484e985938d

  • SHA1

    ff0d09efbb1495982073291351a81de59e2c3c0d

  • SHA256

    7375b2047d519fffcbe1191522efbf73dcda6073a4fc9b77f01f009c437a2fe8

  • SHA512

    a8496afe762828b23f3568c49954a7c84c2390e0b2d2bb54c141fa9af2db390fd1f0a7582a006ed2b315fd074e4a2268bfdc52a1923f1a28e706000db92015ef

Malware Config

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 27 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bomani2.exe
    "C:\Users\Admin\AppData\Local\Temp\bomani2.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:1588
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4688
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p
      1⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:4640
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 480 -p 4616 -ip 4616
      1⤵
        PID:3156
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4616 -s 2140
        1⤵
        • Program crash
        PID:1200

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Collection

      Data from Local System

      1
      T1005

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1588-132-0x0000000000400000-0x000000000040EC00-memory.dmp
        Filesize

        59KB

      • memory/1588-133-0x0000000000400000-0x000000000040EC00-memory.dmp
        Filesize

        59KB