Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2023 12:27

General

  • Target

    8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe

  • Size

    169KB

  • MD5

    c99e32fb49a2671a6136535c6537c4d7

  • SHA1

    ada9bcb3da63e7b989b279fb6c3bc9fe7ff7b41f

  • SHA256

    8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b

  • SHA512

    ad77caa95954281cdb11239e832953a5c256981b2bc12fe48029ae002bd49c2715108bdf80a45f6aad459a110fa952cbb87fcae09ff23c79e2845a4296067257

  • SSDEEP

    3072:Z1E/rS2paccKntcIaKZEKIOjWqGxaTga0rIJ2SEguMG6NTCJAEhRP7ym6VwM1E6x:Z1on2KvuxaUa0NtgdTgXDTOpRh

Malware Config

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 28 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe
    "C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe
      "C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\OT6

    Filesize

    70KB

    MD5

    0fc138abd7c94c998dbf29db15481b16

    SHA1

    f2969233175e2d0275fb87438493108fee199b2e

    SHA256

    01a6c97fc1a23001fefc3c1f8c3480bc0cc444541463b8e3411f79644aef5b58

    SHA512

    b55afc819d3099a9da7de96e5f1c80f87b40f1bc37dc0296be22adb6e555e8869f197de1b7d7d3e271044f397e9aa3b81bbc123be4b32f59e68c28e09a95facf

  • C:\Users\Admin\AppData\Local\Temp\nsh6817.tmp\System.dll

    Filesize

    11KB

    MD5

    3f176d1ee13b0d7d6bd92e1c7a0b9bae

    SHA1

    fe582246792774c2c9dd15639ffa0aca90d6fd0b

    SHA256

    fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    SHA512

    0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

  • C:\Users\Admin\AppData\Local\Temp\nsh6817.tmp\System.dll

    Filesize

    11KB

    MD5

    3f176d1ee13b0d7d6bd92e1c7a0b9bae

    SHA1

    fe582246792774c2c9dd15639ffa0aca90d6fd0b

    SHA256

    fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

    SHA512

    0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

  • memory/1700-133-0x0000000000000000-mapping.dmp

  • memory/1700-134-0x0000000000400000-0x000000000040E600-memory.dmp

    Filesize

    57KB