Overview

overview

10

Static

static

21b38af989...ab.exe

windows7-x64

10

21b38af989...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2022 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21b38af989d3f5f3bf16e0a7562b5bdb4c544b49c0711b8f055b4fb61e242eab.exe

  • Size

    390KB

  • MD5

    fec6f114419bfb3182ce771e7e4cd384

  • SHA1

    c63f0ce447c63fe232e6ba45d259110f167d6746

  • SHA256

    21b38af989d3f5f3bf16e0a7562b5bdb4c544b49c0711b8f055b4fb61e242eab

  • SHA512

    27960a22c708990fcf3878d7a65ccea44bcea554c565d166d8df590dc36b9ab5c3229a73168cc8fe6ce3241b3732ab181ce44c3fb1144e4d63972d71b66f895e

  • SSDEEP

    6144:B1iTvDacVTkrzy8FdikDUWrZJyTWZZDmehT4ZyPsr3YUkDMB2fukylSxpY0:Iu8KikDByT1ClylSx1

Score
10/10
globeimposterpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ���������B4 E6 42 DA CA D8 37 FB 2A 70 A8 32 32 E6 00 34 FC 1D D9 14 3B BE 61 95 3D DD 61 0F 78 83 28 1F DE 5E 90 6C 35 5E 8F 4A BA 35 73 A1 78 31 4E 40 06 02 F9 21 D6 4E EB 50 C4 23 E1 A7 2E D2 EA D2 3B 16 F9 59 F4 68 2F C5 90 05 85 6A 44 A1 86 88 CD 59 BA 84 37 B0 7F 16 2E F9 AC 16 42 E0 7F 4A E4 6D 27 71 C3 EE 34 2E BA 16 4E 4B EC 8C C8 A0 81 46 D5 F8 B3 BD 77 0B 17 4E 0C F0 16 4D B8 CF CB 3E 76 22 AB AB D2 11 3B 35 1C B8 86 A7 6B 02 E0 CC 27 B0 EE DF 83 92 DC 21 77 F8 2E CE AE EC 94 F5 B0 3C DF 12 A6 0C E5 C2 19 77 08 DB 29 0E 51 AB A2 33 50 3E 10 C5 AA D1 F5 4E 4F 71 6C 91 E9 4F 4E C6 3B E2 23 09 1E AE 12 B8 56 A1 22 77 33 5A 27 1F B8 24 9B CA A6 F1 81 DB D3 5C 73 41 CB 8F B3 47 59 D5 D7 39 15 64 98 64 11 E4 B1 30 D6 3C E3 A9 95 D9 AA 10 37 FA 67 3C AA EC B2 A2
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 26 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21b38af989d3f5f3bf16e0a7562b5bdb4c544b49c0711b8f055b4fb61e242eab.exe
    "C:\Users\Admin\AppData\Local\Temp\21b38af989d3f5f3bf16e0a7562b5bdb4c544b49c0711b8f055b4fb61e242eab.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\21b38af989d3f5f3bf16e0a7562b5bdb4c544b49c0711b8f055b4fb61e242eab.exe
      "{path}"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      PID:3776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2252-132-0x0000000000F20000-0x0000000000F88000-memory.dmp

    Filesize

    416KB

    Download

  • memory/2252-133-0x0000000005D60000-0x0000000006304000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2252-134-0x0000000005850000-0x00000000058E2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2252-135-0x00000000059B0000-0x0000000005A4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2252-136-0x0000000005940000-0x000000000594A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3776-138-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3776-140-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3776-141-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download