Analysis
-
max time kernel
179s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 17:06
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
821KB
-
MD5
190517d80c4edcef8a6c2b0a017941b0
-
SHA1
2e03f910b3f9183657c3ec00735aa5b1f03080bb
-
SHA256
5ff8f64c4f30268e388f898e0540163158b5941f9c0900d50c4d2fd9d1062e4c
-
SHA512
676639520df2d44dc9d8fcbd9d49a0453715ea56520d4d606908bc7e9536b57b3ffd77ee8200b7861803ae70d0730a5be9a4193ec70ca9a235c7acb6af33bd65
-
SSDEEP
12288:K+XtdQ4vM3zrbETClJkFg/IyXCD8H//qNtYU8d+JW7626bNiU1pvZ4xbPfivp+sZ:5vU376CbkFg/IyXtH4H8dd7624i/+
Malware Config
Extracted
C:\readme.txt
http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR
https://yip.su/2QstD5
Signatures
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce file.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\file.exe" file.exe -
Drops desktop.ini file(s) 5 IoCs
Processes:
file.exedescription ioc process File opened for modification C:\Users\Public\desktop.ini file.exe File opened for modification C:\Users\Public\Videos\desktop.ini file.exe File opened for modification C:\Users\Public\Pictures\desktop.ini file.exe File opened for modification C:\Users\Public\Music\desktop.ini file.exe File opened for modification C:\Users\Public\Libraries\desktop.ini file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 1464 set thread context of 3264 1464 file.exe file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file.exepid process 1464 file.exe 1464 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 1464 file.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exedescription pid process target process PID 1464 wrote to memory of 4784 1464 file.exe file.exe PID 1464 wrote to memory of 4784 1464 file.exe file.exe PID 1464 wrote to memory of 4784 1464 file.exe file.exe PID 1464 wrote to memory of 3264 1464 file.exe file.exe PID 1464 wrote to memory of 3264 1464 file.exe file.exe PID 1464 wrote to memory of 3264 1464 file.exe file.exe PID 1464 wrote to memory of 3264 1464 file.exe file.exe PID 1464 wrote to memory of 3264 1464 file.exe file.exe PID 1464 wrote to memory of 3264 1464 file.exe file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\file.exe"{path}"2⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\file.exe"{path}"2⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
PID:3264