Analysis

  • max time kernel
    268s
  • max time network
    327s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2022 05:08

General

  • Target

    1cc3b2946bb008c7f0b18225696b2e492b627725a3f4ead9ffb6e49346ca1325.exe

  • Size

    50KB

  • MD5

    32bd793c65117c065f48115340d6d899

  • SHA1

    be86049db96ed942e32f394c5ca55b1ce16fec77

  • SHA256

    1cc3b2946bb008c7f0b18225696b2e492b627725a3f4ead9ffb6e49346ca1325

  • SHA512

    3a5fe1cdc94e054b8c81b0d0fa0eef22abdcd812dfdeb00c19ac8ab7e590693d78ddeb976e32b791494d30d239f4fc319b3bd5b3ac93ef59c371d6fe03dd6dc9

  • SSDEEP

    768:kivuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5Gf:5eytM3alnawrRIwxVSHMweio3Yf

Malware Config

Extracted

Path

C:\readme.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST2GHJLMOPR 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 ��C0 FC 8E 48 41 19 95 84 57 C5 94 CF C2 12 C4 66 06 DD CE 31 99 8A 6E 53 88 95 5C 05 B3 65 59 FD F9 D3 3C 52 3F F8 42 5B D4 7A CA 9F E4 1E EA E0 A0 CA 97 97 CE C2 94 98 A9 9A 4B A4 25 A1 12 3E 78 5D CE 20 39 15 F5 FF 22 A3 8A 09 22 13 4D 6A 85 8E E9 5F DA E6 1D A4 A9 8A 7A E9 FE 4D A0 E7 F5 31 4C 5B B4 20 11 E1 5F 53 4E 77 3B 89 76 79 F2 8B 46 28 B1 F9 8F 36 4E 97 09 B5 1D A6 D9 1E 97 FE E9 9F A3 A1 F8 3A E9 D5 6F EC 4A 23 5B 5C 52 07 38 4E 4D 57 91 9C F5 6E 17 CC 9D 82 65 EE FF CA A2 DD 50 95 E1 1D 81 1C 33 72 3F C4 BD AA 4E E7 16 93 9A 6D 68 AB A2 3A F2 C9 24 36 41 8F 08 A4 80 0F 62 3B 30 1E 4B 63 AB B9 1B 89 61 9C 2D 14 57 9C 6B 8A 2D 69 89 B4 C2 7F 6A 47 81 8B E7 63 6A FE 26 A9 71 94 4B 16 D5 CC BB D2 CE AC 48 A9 A9 C8 96 72 95 0C E7 7A 56 BC 64 A3 56 AB
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST2GHJLMOPR

https://yip.su/2QstD5

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1cc3b2946bb008c7f0b18225696b2e492b627725a3f4ead9ffb6e49346ca1325.exe
    "C:\Users\Admin\AppData\Local\Temp\1cc3b2946bb008c7f0b18225696b2e492b627725a3f4ead9ffb6e49346ca1325.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    PID:552

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/552-133-0x0000000000400000-0x000000000040D600-memory.dmp

    Filesize

    53KB