Overview

overview

10

Static

static

10

7FA0FC4B90...04.exe

windows7-x64

10

7FA0FC4B90...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2022 21:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe

  • Size

    30KB

  • MD5

    0d7eb2137c2d696071df27cc6a601a5a

  • SHA1

    f3e487886630e0729fb4b4967cd11c2ee0daa989

  • SHA256

    7fa0fc4b901ff3bb9002f33b4a7f0a01aef10f36c8304d26cdbf0934a9fd816f

  • SHA512

    1b6f45cd581d3cd8292d8b97b840473eddb5239ce07037a8d34cf1530dc6c35613591e1d06f56453b50060d0df8d6066cc675a8cde3018220547597515e8f662

  • SSDEEP

    768:8t6+ztmVfbHmHS8/ckpKd75wiqjUKPO6AAb3vM8pYwA:2ztmJbHmHT/zKdVwigUAAK3qw

Score
10/10
globeimposterredlinesmokeloader0025backdoorinfostealerpersistenceransomwaretrojan

Malware Config

Extracted

Path

\??\M:\readme.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ���������18 FD 9B 7D 94 A2 CF 7E CD E1 D0 09 EF E3 64 A6 44 2B 0E 12 EB 2F 49 78 09 97 1B 4B 33 38 A3 89 B9 EB 90 B1 C5 85 26 9D EE 7E 5C 49 15 CA 62 F9 7F 7D 1B 22 96 8A 6C B7 F5 BB 7C E8 3E 8A 85 24 2C C2 49 18 DD FA 81 A9 4B 0A F5 68 0E 1F C8 95 7E 6A 68 05 3D 70 44 4D F8 FD 19 F8 41 61 2A C8 C8 B0 9F 6F EB 69 74 86 C9 F6 91 0D 29 D6 EC 89 46 7D A6 99 1C AE 7E 81 1D 12 1F 17 5B 1A A2 7D F7 F4 FD FD 14 4B DC 6D 51 A1 1F 2F 34 B6 E1 C9 07 F7 76 BE 31 EB 1D A8 1A 17 D5 1F 43 3B E8 EE FE 7F 14 B3 EC A7 8D A1 FF 59 E5 BB ED F2 43 70 4E 7E 97 4B BF 8F 94 0C EE 46 36 C4 3F FE 31 01 25 5B DE D7 76 57 53 86 A3 EB FD A6 3E 4F 2B 59 E2 88 01 16 9B F3 BC 5F 6E 55 9E B1 E2 E3 17 DC A0 03 50 29 7C 53 6B 9A D9 65 93 75 49 B2 84 AA 10 54 47 FF E3 DF 9C 4B 71 41 E5 31 38 63 4A 3C
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Extracted

Path

\??\M:\Boot\bg-BG\ReadMe.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?403RSUVXZAC 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?403RSUVXZAC

https://yip.su/2QstD5

Extracted

Family

redline

Botnet

0025

C2

216.52.57.15:38185

Attributes
  • auth_value

    e3493445b68f497cdc542eee79f1a761

Signatures

  • Detects Smokeloader packer 2 IoCs
  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 19 IoCs
  • Enumerates connected drives 3 TTPs 27 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe
    "C:\Users\Admin\AppData\Local\Temp\7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4936
  • C:\Users\Admin\AppData\Local\Temp\266F.exe
    C:\Users\Admin\AppData\Local\Temp\266F.exe
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    PID:740
  • C:\Users\Admin\AppData\Local\Temp\2D75.exe
    C:\Users\Admin\AppData\Local\Temp\2D75.exe
    1⤵
    • Executes dropped EXE
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:4452
  • C:\Users\Admin\AppData\Local\Temp\3219.exe
    C:\Users\Admin\AppData\Local\Temp\3219.exe
    1⤵
    • Executes dropped EXE
    PID:4672
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:4360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 876
        2⤵
        • Program crash
        PID:2860
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:3668
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4360 -ip 4360
        1⤵
          PID:4968
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1104
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4972

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\USERS\PUBLIC\DESKTOP\ACROBAT READER DC.LNK.R2U
          Filesize

          3KB

          MD5

          7c70ec63db5217ca12e921af903b6376

          SHA1

          58edf5627b21da76775bfb36b229e35d99c6918a

          SHA256

          e682a7ec6d5303650e7b5ba99251d6307fad956ffbc3ddb8368eafbd3895c4e8

          SHA512

          89fd64f71f44d24589c9b5115037df6c765b550e28d712e33eb5ad4568edd3e73189ee8dee19d3ffb05b2f88d039840bc466cbe993a1e4d43cdfa7ed434e83d5

          Download Submit

        • C:\USERS\PUBLIC\DESKTOP\FIREFOX.LNK.R2U
          Filesize

          1KB

          MD5

          130d15ef1fd65b768b1925c324e1cea1

          SHA1

          28f22eaaf35f6c20bf986f2bf16296581cea7094

          SHA256

          c4207869df58da7989140a69b83d9890cd6dcd65808e75571cf929e218c1c538

          SHA512

          1a43a0da3841efc76a8a958634b2f442451ccd30e5243ffb5d2f88b6ef1c54f74f8e31ba6f2054e429e9667845aaa11f613eb91662f92e74ab8dc008fff22d70

          Download Submit

        • C:\USERS\PUBLIC\DESKTOP\GOOGLE CHROME.LNK.R2U
          Filesize

          3KB

          MD5

          3d85374fa81c89484ef4740c29b509ba

          SHA1

          172458e4d26fd3f02a135bf5620256e00535012f

          SHA256

          3c28aaf4c754a448263f19a6763cd699fcb8f8195653f02f2b9104cb48537fb1

          SHA512

          6d7498ce15893a98713a1c91346e3e5fc18e2263e15c44ace8b6b9ff0545c8a79449b7e1fe4aa75b7a17e9c0985e243d55e344f1af7cd5d3e2f91fd3969b6c7c

          Download Submit

        • C:\USERS\PUBLIC\DESKTOP\README.TXT
          Filesize

          1KB

          MD5

          65fd7824536e11e25e332800d42dd3e3

          SHA1

          34e4778228e38d6a57fcb5d8979dc192672700a6

          SHA256

          2ee8c1f1bb1b928984bd02bb979db3b6473a80bcdba4b849b7ab611d3ab76359

          SHA512

          06be78f8a42cdb2ff67cc3df26c7f7888e37e050c7c2ef41b9bde744f88960b1787d62ed79977425851106f26f3ee4867259f7d222cc64db7fa5bb75afcc63c0

          Download Submit

        • C:\USERS\PUBLIC\DESKTOP\VLC MEDIA PLAYER.LNK.R2U
          Filesize

          1KB

          MD5

          adc28f3553785b54202f31bf6a60fa29

          SHA1

          994dec0134a5cb3af01c2d76105ca071ba99f71c

          SHA256

          54b08a792366b4f4c213c03832772632ec8872e700250b6dda141677c0ec54c8

          SHA512

          a5f6389a3fe6c38b7a9ce50a1f1ec9b47a3bb96d9550be83b1bb183c2725552aa7de987ad4a3f84bda38279be8f16fc5487a3b7d75dfe1f5c5cf2b01231dfa6f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\266F.exe
          Filesize

          106KB

          MD5

          957f3db87f8c9a1540269e6aa08c14b2

          SHA1

          14be1c43fbfb325858cda78a126528f82cf77ad2

          SHA256

          2cb58713d1eff5ac37e8db040d25537c0e7bb6737c905a577fb257e4e4360f83

          SHA512

          cd7089eb072c3eaccc474a1e8f4b60a3bcaa4fc60c2761f649ac91edbfe7b7389db60d8156fe1eadb8b78628c48bca115fabdb00d115451a85433272d875d463

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\266F.exe
          Filesize

          106KB

          MD5

          957f3db87f8c9a1540269e6aa08c14b2

          SHA1

          14be1c43fbfb325858cda78a126528f82cf77ad2

          SHA256

          2cb58713d1eff5ac37e8db040d25537c0e7bb6737c905a577fb257e4e4360f83

          SHA512

          cd7089eb072c3eaccc474a1e8f4b60a3bcaa4fc60c2761f649ac91edbfe7b7389db60d8156fe1eadb8b78628c48bca115fabdb00d115451a85433272d875d463

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\2D75.exe
          Filesize

          50KB

          MD5

          4c4a63e3906a19edb4e7f97419fa3033

          SHA1

          afc257d249bd12e4a13a2c4fc7e1df44301228d3

          SHA256

          16bb1dd92c0dcc2cc0a3057b15f2e50214cb79c225ab136a91f7918787678882

          SHA512

          c18e3f8010f02b829c39e2488bca4cc5f9e9fc0c7055d4049490f79820793389fe6b55d37a6e4f24b57bb629aa9b0721323f409f5d84e3603d5eb742c70a5e50

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\2D75.exe
          Filesize

          50KB

          MD5

          4c4a63e3906a19edb4e7f97419fa3033

          SHA1

          afc257d249bd12e4a13a2c4fc7e1df44301228d3

          SHA256

          16bb1dd92c0dcc2cc0a3057b15f2e50214cb79c225ab136a91f7918787678882

          SHA512

          c18e3f8010f02b829c39e2488bca4cc5f9e9fc0c7055d4049490f79820793389fe6b55d37a6e4f24b57bb629aa9b0721323f409f5d84e3603d5eb742c70a5e50

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\3219.exe
          Filesize

          107KB

          MD5

          29c35719b1ad2a2106cfa7072877e86c

          SHA1

          393a2b9a4bf4bc4711e51f3f62f21bc6fa93f9a5

          SHA256

          16c1c4b955d4c9acfbba91c6267ed68a0e9826aab0eaa0f7e05a7cfbbde1ffe1

          SHA512

          f740f53837ce94ea0dcdfa9ab3151e661624a15ab0b5e91ff970037333921907316bc51d61c2fefaf949e9f2a7c0de75e8ce20df1cb3f297d0d6039c982206ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\3219.exe
          Filesize

          107KB

          MD5

          29c35719b1ad2a2106cfa7072877e86c

          SHA1

          393a2b9a4bf4bc4711e51f3f62f21bc6fa93f9a5

          SHA256

          16c1c4b955d4c9acfbba91c6267ed68a0e9826aab0eaa0f7e05a7cfbbde1ffe1

          SHA512

          f740f53837ce94ea0dcdfa9ab3151e661624a15ab0b5e91ff970037333921907316bc51d61c2fefaf949e9f2a7c0de75e8ce20df1cb3f297d0d6039c982206ee

          Download Submit

        • \??\M:\Boot\readme.txt
          Filesize

          1KB

          MD5

          56384889ec0dfe1ace9fff5439e4cf8a

          SHA1

          8b48bc0b8de53bdb2a5bb542506c27d01acff681

          SHA256

          cbdeff29c6cc659c7e61d45574ecc72c24267357522b8790fe0359004279756c

          SHA512

          be6768886a659cd362e6099c0f99bb66873e61573e9d3b94c39a339f3ab7921de2736d179e6450cf9f5f4b93d2f0df4257097b7ece65226db8e5b423f669eb5d

          Download Submit

        • \??\M:\readme.txt
          Filesize

          1KB

          MD5

          a3794cabf4a20e95d66f19e27b0729b1

          SHA1

          059b741fd2420875b182bba359573a1c0425887a

          SHA256

          b3fbb4323596c2e8b00027da852963511794d9286683a06f46cdffa6314f5755

          SHA512

          217a982464211aaf5d2f799d1cde039710c05def0d695dd0f1969f89c392651e52b39f7750965f919a0cda50a497d9c31acd68118e022da4ee981add92c480ae

          Download Submit

        • memory/1104-162-0x0000018533920000-0x0000018533928000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1104-165-0x0000018535440000-0x0000018535460000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3668-146-0x0000000000C00000-0x0000000000C07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3668-147-0x00000000009F0000-0x00000000009FC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4360-169-0x0000000000640000-0x00000000006AB000-memory.dmp

          Filesize

          428KB

          Download

        • memory/4360-151-0x0000000000640000-0x00000000006AB000-memory.dmp

          Filesize

          428KB

          Download

        • memory/4360-148-0x00000000006B0000-0x0000000000724000-memory.dmp

          Filesize

          464KB

          Download

        • memory/4452-153-0x0000000000400000-0x000000000040D400-memory.dmp

          Filesize

          53KB

          Download

        • memory/4452-140-0x0000000000400000-0x000000000040D400-memory.dmp

          Filesize

          53KB

          Download

        • memory/4672-172-0x0000000005500000-0x0000000005512000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4672-173-0x0000000005630000-0x000000000573A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4672-152-0x00000000008F0000-0x0000000000910000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4672-171-0x0000000005A80000-0x0000000006098000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4936-132-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4936-133-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download