globeimposter | 418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579

General

Target

418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
Size

366KB
MD5

dd065e54805dfc8c1640065803a3fa23
SHA1

e0e3646919b6fdb37fd9d9d70d3c0ef23d46dc1a
SHA256

418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579
SHA512

5f7885acfa03411e743579b537257b68aec67e08babcf035689338663f27be082307e65adced4a7f94a413f44a141b5670872d1791b728d4ef6fb592a2b958b0
SSDEEP

6144:W8afWfuCiCEfwdciYYx8+W5p56UKV4UszE7hvriQi:W6ueEMPvW8UhUszE7hvDi

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��8A D4 44 0E BD A8 22 97 44 6F 0E 4A 5F E9 2E 5C 90 5B 6D D8 7E 3B 6D 8C A3 7B AE BF 29 77 43 9E 6B 40 C1 1E BF 62 BF 27 7E 12 F2 5A F6 EA 33 B5 CF 74 C2 5B 7F 28 C8 07 4D 9D D0 D9 7D A5 FF 7D FF 66 A6 F7 51 43 66 EC E3 37 BF 89 BE 07 25 7C EE B4 BB 5C AE 96 03 67 7B 4C 02 81 BF 50 3E DA C7 BA 6A 7A 8B FE AD FA D3 F6 1C F7 AF 75 86 BF DE 3C 03 EA C2 0A B4 55 92 55 A4 7C C4 7C 17 EB 8A 10 4E 4E 14 22 57 C5 E8 21 7D 86 C4 66 B3 01 22 93 EA F3 BE A2 80 14 49 73 77 DF D6 87 D9 83 C2 E5 8F 48 64 FC 93 D8 2F 8E D1 4C 31 74 D7 69 7D 6D CD 54 35 59 60 9B AA 52 88 EC 37 FF AD 48 9B 3E 3B 3E 19 C1 EB 69 74 04 78 03 AD E9 E5 3D EE 68 4F E5 81 08 33 85 8C E8 DC C3 D0 A8 39 F0 72 83 71 D2 50 8D 58 A2 DA 7D B2 E9 75 A8 C1 B2 47 F8 93 B7 E6 19 FC E9 A1 C9 CA 0C BB 58 14 BB ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\RenameCopy.crw => C:\Users\Admin\Pictures\RenameCopy.crw.DOCM	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeApprove.tiff	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File renamed	C:\Users\Admin\Pictures\ResumeApprove.tiff => C:\Users\Admin\Pictures\ResumeApprove.tiff.DOCM	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File renamed	C:\Users\Admin\Pictures\UndoRestore.crw => C:\Users\Admin\Pictures\UndoRestore.crw.DOCM	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File renamed	C:\Users\Admin\Pictures\EnableRead.crw => C:\Users\Admin\Pictures\EnableRead.crw.DOCM	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File renamed	C:\Users\Admin\Pictures\ExitTest.raw => C:\Users\Admin\Pictures\ExitTest.raw.DOCM	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File renamed	C:\Users\Admin\Pictures\RegisterGroup.raw => C:\Users\Admin\Pictures\RegisterGroup.raw.DOCM	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe"	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Links\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

description	pid	process	target process
PID 972 set thread context of 364	972	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

Drops file in Program Files directory 64 IoCs

Processes:

418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_es.dub	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSRuntime.dll	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excel.exe.manifest	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MAPISHELL.DLL	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.GIF	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Pitchbook.potx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.GIF	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyLetter.dotx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\List.accdt	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.JPG	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\DBGHELP.DLL	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MML2OMML.XSL	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\VSTAProjectUI.dll	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\PersonalMonthlyBudget.xltx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\Restore-My-Files.txt	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BillingStatement.xltx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialLetter.dotx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialResume.dotx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEAWSDC.DLL	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDCAT.DLL	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.INF	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_en.dub	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityLetter.Dotx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveNewsletter.dotx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginLetter.Dotx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnvpxy.dll	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Restore-My-Files.txt	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CDLMSO.DLL	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPPT.OLB	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Restore-My-Files.txt	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Right.accdt	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCDDS.DLL	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ASCIIENG.LNG	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.AddInManager.dll	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\Restore-My-Files.txt	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GKExcel.dll	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7.dll	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Restore-My-Files.txt	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\FeedSync.dll	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryResume.dotx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Restore-My-Files.txt	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCDDSF.DLL	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExpenseReport.xltx	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Details.accdt	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Media.accdt	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\VSTAClientPkgUI.dll	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

pid	process
972	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
972	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
972	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
972	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

pid process

972 418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

description	pid	process	target process
PID 972 wrote to memory of 364	972	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
PID 972 wrote to memory of 364	972	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
PID 972 wrote to memory of 364	972	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
PID 972 wrote to memory of 364	972	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
PID 972 wrote to memory of 364	972	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe	418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe

C:\Users\Admin\AppData\Local\Temp\418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
"C:\Users\Admin\AppData\Local\Temp\418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:972
- C:\Users\Admin\AppData\Local\Temp\418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe
  "C:\Users\Admin\AppData\Local\Temp\418a45b6d7b2b1c9615bcc5023765b25621429bc1c45702d6f43695e101da579.exe"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-56-0x0000000000409F20-mapping.dmp

Download
memory/364-59-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/972-54-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download
memory/972-55-0x0000000000F70000-0x0000000000FD0000-memory.dmp

Filesize
384KB

Download
memory/972-58-0x0000000000F70000-0x0000000000FD0000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads