Overview

overview

10

Static

static

24dbecb4c8...1a.exe

windows7-x64

10

24dbecb4c8...1a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a

  • Size

    412KB

  • Sample

    220914-tbbpaaeeap

  • MD5

    4aae92d39c5aca5fba29bf92cf6b84d2

  • SHA1

    f023ad70ebc5486f479c4f100fccb42e6c79909a

  • SHA256

    24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a

  • SHA512

    8e923140617910155b30821e50893f8b9bdbb97a1efc6cc18f4f7afb8d3a187662874f83963f345477ee9a769f29dc3670d350ac6d6e04468c8bc510acc289bd

  • SSDEEP

    12288:g7TtcP/wjj/SkZW7zy7nzo1NmN8a4jpxE/P:g7RcP/wvqkZNonmN8a4jpxK

Score
10/10
globeimposterevasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���3C 2C BA 89 E8 28 A8 B3 7B 82 79 34 53 67 CE C0 9F 99 1F 49 A7 E1 2F 78 A6 B1 15 5C 35 67 DE 99 3A C9 49 4D 44 77 EE C9 46 96 15 03 32 5D D3 4E 9B 65 46 CE 16 AA 65 79 66 FF B3 4D 65 63 24 FC 0A BF 52 1E 52 CD C2 5A 81 2C F3 FC 8A 32 DC 53 F4 62 41 BB E9 9F 12 DB 8A 01 0B 3D 9F 4E DD 85 EF 14 E3 D8 DC AF 46 DF 2A 50 FF 43 B3 97 E9 38 54 37 D3 2F AE E2 34 E4 3C 11 4E 82 97 E3 C7 32 C8 5A 87 3C 0D 8A 80 11 4F E0 F0 4B 7B B3 D1 76 38 A1 A7 F7 09 6B 5E 3A 1B 84 BC 15 F0 1D C9 6A 84 7A 59 61 AE D6 73 83 EF 14 5A 2E 1D 9F F2 BE EF 33 C3 76 18 6B 62 E6 8B C5 32 8F 02 75 D2 8A EC 8E 26 AC EE 41 BF F0 FA 57 EA 6C F3 1E 8A 51 65 B2 FB 5A BA FB E4 B2 59 0F 20 90 6B 7E 6C 8C 07 52 BD 78 9B E5 63 48 A8 50 BF 80 A3 1E 6D 82 00 61 7F 1B 7F FC 3B 2B 0E 83 BC 56 35 C2 2A D1
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���55 61 D5 6B FF 66 B7 16 6C 96 6E 41 7A F1 04 86 E7 3F 5C BE 5D 5C A4 3C B1 C1 BD 09 D8 46 92 06 4F AF D7 29 0E 73 5D 7F D4 2E 28 AD FD 7D C4 30 8B 62 04 68 F1 8A A2 CF 93 F8 D1 20 05 A6 B4 74 01 E7 A0 A6 5D 65 BD 64 B5 C0 29 05 4B 3D 26 B7 05 A8 37 C8 7F 81 62 37 F5 34 EB 11 1D B3 E5 BB 84 24 99 62 8B 3F DE A2 0F 82 40 E2 D2 7D DE A5 6C 60 C4 71 BE DB A3 01 FD A4 28 14 E2 0D CB C6 06 F6 64 DA DD 51 14 C0 91 E8 67 B5 62 9C 09 F5 F3 FF B0 E6 5F 08 B5 92 5F C6 69 06 83 60 EE 11 A5 CA 76 2C E0 FA F6 B1 13 96 71 47 07 60 52 54 25 72 5D 88 99 3F F2 F9 4E 3E 5B DF 86 5D CD 45 8F 32 85 B9 23 FB CF 9F 1D B9 19 20 F3 7E B4 F9 FF 08 C5 8F 3F 82 2B EF E1 8D BA C6 7E 92 E0 99 90 32 4A 3D C8 E6 82 47 25 12 5C 1E 0A 59 54 44 E0 0D 75 72 3A E7 1A 24 2B 6A 4A 5A B1 BE 15 76
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a

    • Size

      412KB

    • MD5

      4aae92d39c5aca5fba29bf92cf6b84d2

    • SHA1

      f023ad70ebc5486f479c4f100fccb42e6c79909a

    • SHA256

      24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a

    • SHA512

      8e923140617910155b30821e50893f8b9bdbb97a1efc6cc18f4f7afb8d3a187662874f83963f345477ee9a769f29dc3670d350ac6d6e04468c8bc510acc289bd

    • SSDEEP

      12288:g7TtcP/wjj/SkZW7zy7nzo1NmN8a4jpxE/P:g7RcP/wvqkZNonmN8a4jpxK

    Score
    10/10
    globeimposterevasionpersistenceransomwaretrojan

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Turns off Windows Defender SpyNet reporting

      evasion

    • Windows security bypass

      evasiontrojan

    • Nirsoft

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks