Analysis

  • max time kernel
    416s
  • max time network
    419s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2023 23:37

General

  • Target

    8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe

  • Size

    169KB

  • MD5

    c99e32fb49a2671a6136535c6537c4d7

  • SHA1

    ada9bcb3da63e7b989b279fb6c3bc9fe7ff7b41f

  • SHA256

    8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b

  • SHA512

    ad77caa95954281cdb11239e832953a5c256981b2bc12fe48029ae002bd49c2715108bdf80a45f6aad459a110fa952cbb87fcae09ff23c79e2845a4296067257

  • SSDEEP

    3072:Z1E/rS2paccKntcIaKZEKIOjWqGxaTga0rIJ2SEguMG6NTCJAEhRP7ym6VwM1E6x:Z1on2KvuxaUa0NtgdTgXDTOpRh

Malware Config

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 37 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe
    "C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe
      "C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\tmp4126.tmp.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:1704
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
          4⤵
            PID:1756
          • C:\Windows\SysWOW64\reg.exe
            reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
            4⤵
              PID:1624
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
              4⤵
                PID:1536
              • C:\Windows\SysWOW64\attrib.exe
                attrib Default.rdp -s -h
                4⤵
                • Views/modifies file attributes
                PID:1492
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\8808e4e220fcda37bdb05b703e86053f88a6ebd68037d37ef89754c459d7ad2b.exe > nul
              3⤵
                PID:1396
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Read___ME.html
            1⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:944
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:275457 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:824
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:209932 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1360
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1204

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Hidden Files and Directories

          1
          T1158

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          2
          T1112

          Hidden Files and Directories

          1
          T1158

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          System Information Discovery

          1
          T1082

          Collection

          Data from Local System

          1
          T1005

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\$Recycle.Bin\S-1-5-21-3406023954-474543476-3319432036-1000\desktop.ini
            Filesize

            1KB

            MD5

            de7056b8bac0cb42878e72710631f2e2

            SHA1

            eae422ceffc7e87940743f65fedd74039340a218

            SHA256

            1b2daf7e98dfc8b28ff3a6fda66a2fc8377ac22bc4495930e3d0706ddd84f927

            SHA512

            49dcb705498f2cce58e2992ab0efcbcf6b1e8e398ce5021b1b90172f7bb09aa0fd86e3c09cb241da699455f7aad8fb61e8d5d5cc9449921df5b2a81f046dd6c1

          • C:\Users\Admin\AppData\Local\Temp\OT6
            Filesize

            70KB

            MD5

            0fc138abd7c94c998dbf29db15481b16

            SHA1

            f2969233175e2d0275fb87438493108fee199b2e

            SHA256

            01a6c97fc1a23001fefc3c1f8c3480bc0cc444541463b8e3411f79644aef5b58

            SHA512

            b55afc819d3099a9da7de96e5f1c80f87b40f1bc37dc0296be22adb6e555e8869f197de1b7d7d3e271044f397e9aa3b81bbc123be4b32f59e68c28e09a95facf

          • C:\Users\Admin\AppData\Local\Temp\nsoFE7E.tmp\System.dll
            Filesize

            11KB

            MD5

            3f176d1ee13b0d7d6bd92e1c7a0b9bae

            SHA1

            fe582246792774c2c9dd15639ffa0aca90d6fd0b

            SHA256

            fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

            SHA512

            0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

          • C:\Users\Admin\AppData\Local\Temp\tmp4126.tmp.bat
            Filesize

            445B

            MD5

            32d8f7a3d0c796cee45f64b63c1cca38

            SHA1

            d58466430a2bba8641bd92c880557379e25b140c

            SHA256

            1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

            SHA512

            288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BNIQUZW6.txt
            Filesize

            608B

            MD5

            9ff79450d140bf1f1135e5a5aa880b94

            SHA1

            5dbabbd4de4e51b96e91e108fc26e84bc7f434f5

            SHA256

            2d6996eb06a035a5d99729b6390facb24aaf803800cc91d5f4bcfd7a8b4425fa

            SHA512

            68e971a98bbe3b1a818fad285063dc1bb8336deb380c11e7ad9d97c239c6713a425b2cee0e9e5115a2103212f36110b1b20dccf435aa701724a6523636ef754b

          • C:\Users\Admin\Desktop\Read___ME.html
            Filesize

            4KB

            MD5

            f7f3e70a5e06cfddf310bea8a24d08d5

            SHA1

            a699bd106dacf3c0c7f60a4796f568834921cecf

            SHA256

            749665bb9c14b0d01c7d59362e1820e42555a87447c20edbceebad27519193f5

            SHA512

            6fea7e9bf550be65c8877e392bde981300d88ef4159b56897f297a73f699f167fee510003093d5a1ba766c6e55325abb60f40c80993883257c209ec05c189577

          • \Users\Admin\AppData\Local\Temp\nsoFE7E.tmp\System.dll
            Filesize

            11KB

            MD5

            3f176d1ee13b0d7d6bd92e1c7a0b9bae

            SHA1

            fe582246792774c2c9dd15639ffa0aca90d6fd0b

            SHA256

            fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

            SHA512

            0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

          • memory/1396-65-0x0000000000000000-mapping.dmp
          • memory/1492-71-0x0000000000000000-mapping.dmp
          • memory/1528-56-0x000000000040A224-mapping.dmp
          • memory/1528-58-0x0000000000400000-0x000000000040E600-memory.dmp
            Filesize

            57KB

          • memory/1536-70-0x0000000000000000-mapping.dmp
          • memory/1576-54-0x0000000075611000-0x0000000075613000-memory.dmp
            Filesize

            8KB

          • memory/1624-69-0x0000000000000000-mapping.dmp
          • memory/1704-67-0x0000000000000000-mapping.dmp
          • memory/1732-64-0x0000000000000000-mapping.dmp
          • memory/1756-68-0x0000000000000000-mapping.dmp