Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe
-
Size
72KB
-
MD5
0a394ea5a6a326d2b8a0f7d6ba4bbd82
-
SHA1
c1e1ad4bab9727d1ff3a0788c51edc223f53f097
-
SHA256
1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393
-
SHA512
f7388719ada155e354434b57b438e20c23db44ddf3cf1b4552715d371aec3c5f834992c08eca63b58051472a92996b4d2bb51b1fa5a7671f6c33c731c20bb902
-
SSDEEP
768:7BcNSpIMgsDi8giO5KLC8MkGPXsADPGL69QKN/ZfdV1+nAZjEMzsyy:Fc4IuDdgN5TkGP8A7EUnhV+nAZjE4a
Score
10/10
Malware Config
Extracted
Path
C:\readme.txt
Family
globeimposter
Ransom Note
All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:
----------------------------------------------------------------------------------------
| 1. Download Tor browser - https://www.torproject.org/ and install it.
| 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV
| 3. Create Ticket
----------------------------------------------------------------------------------------
Note! This link is available via Tor Browser only.
------------------------------------------------------------
Your ID
���������02 E9 8C 5D 31 EA 6D 5E 18 9B 3A 52 46 4E 11 D4
5D D6 9C 7C 2C CB E1 00 39 04 85 AB 8F 50 FD 5D
46 7D 97 3E 53 BE B7 DB DA E7 64 67 53 AA A5 2F
57 AB E4 4C 6C 10 6E A0 5B A8 68 60 6F D6 20 C2
32 33 7C 16 1E 2E 36 4B 4F 2F D5 D9 B1 03 43 57
CA FA 3C 84 CB D2 CC 13 B7 49 FC 7F 75 2C 42 46
81 5A 19 0A BC 1B 40 BD 40 BA 4F F8 0C 45 7E 67
12 6D 5B 3F 73 41 32 EB 5E 0C 67 A2 CF 35 55 C8
64 29 E9 A6 5B 40 64 46 72 49 68 5B 09 E0 1B FB
C7 C2 57 AC E7 0B 89 5B E5 A7 63 B0 7B E9 99 A9
BA 75 E1 14 EC 88 BD 22 44 E3 25 8C 94 47 B3 1C
27 F1 A3 32 09 11 D8 02 7F 33 D5 32 77 4C 7B 12
BF B5 F1 A7 82 F4 46 0C 3B AF 02 CC 93 D4 6A EC
DA E2 6D D5 82 75 B1 88 71 23 06 03 42 AF E0 33
B4 23 36 EE 76 7C F9 85 44 5D CD 52 4B 77 51 66
9C 4E 84 5A AE AB FA 56 70 B4 2B 7D 12 C9 50 E4
URLs
http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\DisconnectLimit.png => C:\Users\Admin\Pictures\DisconnectLimit.png.r2u vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\vbc.exe" vbc.exe -
Drops desktop.ini file(s) 28 IoCs
description ioc Process File opened for modification C:\Users\Admin\Links\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Documents\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini vbc.exe File opened for modification C:\Program Files\desktop.ini vbc.exe File opened for modification C:\Users\Public\Desktop\desktop.ini vbc.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini vbc.exe File opened for modification C:\Users\Public\Videos\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini vbc.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI vbc.exe File opened for modification C:\Users\Public\Libraries\desktop.ini vbc.exe File opened for modification C:\Users\Public\Documents\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini vbc.exe File opened for modification C:\Program Files (x86)\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Videos\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Searches\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini vbc.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini vbc.exe File opened for modification C:\Users\Public\desktop.ini vbc.exe File opened for modification C:\Users\Public\Music\desktop.ini vbc.exe File opened for modification C:\Users\Admin\Music\desktop.ini vbc.exe File opened for modification C:\Users\Public\Pictures\desktop.ini vbc.exe File opened for modification C:\Users\Public\Downloads\desktop.ini vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2764 set thread context of 2260 2764 1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe 83 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-300.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-32_altform-lightunplated.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri vbc.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-30_altform-unplated.png vbc.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-125.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-black_scale-200.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-black.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-100_contrast-white.png vbc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\readme.txt vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms vbc.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_am.dll vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-64.png vbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_hover_2x.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-150_contrast-white.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-400.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Preview.scale-200_layoutdir-LTR.png vbc.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll vbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\over-arrow-navigation.svg vbc.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\2876_24x24x32.png vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200.png vbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-200.png vbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\ui-strings.js vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-16_altform-unplated.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\SmallTile.scale-200.png vbc.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms vbc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\readme.txt vbc.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-125.png vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-24.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-20_altform-unplated_contrast-white.png vbc.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxk vbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif vbc.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-200.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-100.png vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-256_altform-unplated_contrast-black.png vbc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\readme.txt vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-100.png vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms vbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\selector.js vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\SystemX86\msvcp140.dll vbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\ui-strings.js vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-48_altform-unplated_contrast-white.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\StoreLogo.scale-100.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-400.png vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-300.png vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF vbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\ui-strings.js vbc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_dark_18.svg vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onmainim.dll vbc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\AdCloseButton.png vbc.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat vbc.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{AA5CE76F-4E0E-4071-8047-5AA3AB954CFE}\chrome_installer.exe vbc.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2260 vbc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2260 2764 1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe 83 PID 2764 wrote to memory of 2260 2764 1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe 83 PID 2764 wrote to memory of 2260 2764 1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe 83 PID 2764 wrote to memory of 2260 2764 1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe 83 PID 2764 wrote to memory of 2260 2764 1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe 83 PID 2764 wrote to memory of 2260 2764 1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe"C:\Users\Admin\AppData\Local\Temp\1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
PID:2260
-