Analysis

  • max time kernel
    179s
  • max time network
    200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 17:06

General

  • Target

    file.exe

  • Size

    821KB

  • MD5

    190517d80c4edcef8a6c2b0a017941b0

  • SHA1

    2e03f910b3f9183657c3ec00735aa5b1f03080bb

  • SHA256

    5ff8f64c4f30268e388f898e0540163158b5941f9c0900d50c4d2fd9d1062e4c

  • SHA512

    676639520df2d44dc9d8fcbd9d49a0453715ea56520d4d606908bc7e9536b57b3ffd77ee8200b7861803ae70d0730a5be9a4193ec70ca9a235c7acb6af33bd65

  • SSDEEP

    12288:K+XtdQ4vM3zrbETClJkFg/IyXCD8H//qNtYU8d+JW7626bNiU1pvZ4xbPfivp+sZ:5vU376CbkFg/IyXtH4H8dd7624i/+

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 ��24 13 F6 D1 EC 78 01 E3 7A 7B 04 2C BE 7C BF 69 6C EE 0E 53 42 80 BD 74 37 33 CE 4B 4F 3C 24 FD E4 96 83 21 24 48 E8 F5 48 13 C6 04 2D 77 D2 E6 6C EC FE 5F 01 D8 B5 2D 04 3A C3 78 CA 14 05 10 21 88 59 51 27 63 51 47 B1 B3 C6 0E 7B C2 C9 F7 00 EC 57 01 E7 B0 DD 35 1D 43 08 09 A7 25 87 D9 D4 AB A2 D9 B1 DF 66 0E D6 D0 E7 AC DF 8E EF 4D 3C 62 F6 A2 D1 A2 34 FC 78 00 BA D6 05 75 4C 40 85 DF 02 1C CE 22 90 10 12 EA 55 0A B6 59 BD 81 C8 85 38 E1 9A 2F 86 00 45 B9 05 9B CC CA E8 AD 3B 49 37 96 A2 C0 B8 50 DA 49 8E 73 D3 7E 8C 71 C9 AD 9D FD 91 51 7E 3D 35 22 BC 50 74 DD 3D B6 AC F7 A8 99 AF 1F 3B 8D 0D FD F5 AD 6E 46 2F 2F 58 E8 60 8E 38 F0 A5 9B E3 34 17 B8 05 E6 7B D3 B4 CD 4F 75 C6 76 7A F6 AA 0F 21 AD D6 CF 5D 6A 45 20 79 9C F0 C5 F2 3F 25 16 CB 7C 91 61 1E DD
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST1GHJLMOPR

https://yip.su/2QstD5

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "{path}"
      2⤵
        PID:4784
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "{path}"
        2⤵
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        PID:3264

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1464-132-0x00000000006A0000-0x0000000000774000-memory.dmp

      Filesize

      848KB

    • memory/1464-133-0x00000000057B0000-0x0000000005D54000-memory.dmp

      Filesize

      5.6MB

    • memory/1464-134-0x0000000005110000-0x00000000051A2000-memory.dmp

      Filesize

      584KB

    • memory/1464-135-0x00000000052A0000-0x000000000533C000-memory.dmp

      Filesize

      624KB

    • memory/1464-136-0x0000000005230000-0x000000000523A000-memory.dmp

      Filesize

      40KB

    • memory/3264-138-0x0000000000000000-mapping.dmp

    • memory/3264-139-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/3264-141-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/3264-142-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/3264-143-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/4784-137-0x0000000000000000-mapping.dmp