Analysis
-
max time kernel
220s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
28-11-2022 09:12
General
-
Target
tmp.exe
-
Size
463KB
-
MD5
350542a03ae2eab2f12f6f61abf925e2
-
SHA1
b943c338607b82fcf72d398ebb317731b5c267c1
-
SHA256
42cf8f16f7a65509a5916cd1f0b25d6192749965fe5ee32c63428cb8f63c6a75
-
SHA512
cba2429d51c436c3a1f18bbd28a5a625810c3c11321648ac0ccbb47a511eed1c0818adbe31e3a0c2d074559044ca5536a9a92de1da1f327c923fa070a9ad6cc2
-
SSDEEP
12288:UxkzrbETClw86ZILRaflV8jN69EpHskFgFwIyXCD:d76CxYP8j89ExskFgqIyX
Score
10/10
Malware Config
Extracted
Path
C:\readme.txt
Ransom Note
Attention!
All your files, documents, photos, databases and other important files are encrypted
The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files.
The server with your decryptor is in a closed network TOR. You can get there by the following ways:
----------------------------------------------------------------------------------------
1. Download Tor browser - https://www.torproject.org/
2. Install Tor browser
3. Open Tor Browser
4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR
5. and open ticket
----------------------------------------------------------------------------------------
Alternate communication channel here: https://yip.su/2QstD5
��71 46 FD 35 0E 7C EC 63 E8 60 77 6F 7B 31 BC BC
32 8C E8 41 BD 29 B2 ED CA 4F B6 69 3F 9C B3 E0
4B 9F A3 77 E3 E1 00 47 56 5F A6 FC 8D 8A 87 86
52 85 21 83 55 3F 9F 6E 92 03 E5 00 1F 48 76 20
F9 A2 AE 8A 73 DA 8E 71 89 2E 36 9F A1 A0 77 8B
FB E0 70 8F BF A5 DC C3 BD AE A3 A4 08 88 F3 49
27 D5 3E 61 98 13 F4 0C 5C 7A 9C 04 51 EC 4F BE
C9 8A 39 44 0A 3B BA 0C D7 13 99 F8 BF E9 E6 F2
04 2D 76 27 77 C9 05 C3 EC 0C 40 06 EE C7 A2 FA
91 B0 B1 E2 49 B2 E8 76 37 76 8B F2 21 12 07 E4
AA 6A 44 13 52 D3 23 17 EB C6 39 77 C4 27 5C 1F
42 33 5E AB 39 24 AE 69 2F 4D 93 D5 02 57 88 B2
AF 12 41 E5 4C 0B 46 64 5E F6 F0 BF A3 2D AB D9
98 B5 8D 1A EA AF 25 1A E3 0B 9A 93 1D 0C 67 93
E0 AE 7D 71 7B 01 E4 72 B3 1E A4 76 CA DC 46 3F
5B C0 40 AB 3C 7F F3 4B 0F D0 80 73 43 1B 15 DB
URLs
http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR
https://yip.su/2QstD5
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 13 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"{path}"2⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
488KB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
80KB