globeimposter | f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b

General

Target

f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
Size

53KB
MD5

d3455af45341d4569fac4127ad4490c0
SHA1

7fe6c8cb118bc4bd479494be578f55131cba7523
SHA256

f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b
SHA512

05d57fb35614ee6d75d3a36bad76bdba9e4cbd2cb60dce481c560c85523077ba2a755b96ecef073e5d4b85ee39c67b98b40cb68b99b1239cde7ac6bd6952bcf2
SSDEEP

768:Ppsvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5kpq/gQF:ReeytM3alnawrRIwxVSHMweio3alQF

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RenameClose.tiff	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitUninstall.tiff	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe"	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe

Drops desktop.ini file(s) 37 IoCs

Processes:

f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Searches\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe

Drops file in Program Files directory 64 IoCs

Processes:

f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7B.GIF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00670_.WMF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_uk.dll	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\how_to_back_files.html	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL106.XML	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21313_.GIF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeFax.Dotx	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search.api	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\how_to_back_files.html	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL089.XML	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExpenseReport.xltx	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_ON.GIF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14830_.GIF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Oriel.eftx	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\how_to_back_files.html	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCARDHM.POC	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\how_to_back_files.html	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285462.WMF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02282_.WMF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBBTN.DPV	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DVDHM.POC	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR50B.GIF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\shvlzm.exe.mui	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File created	C:\Program Files\7-Zip\Lang\how_to_back_files.html	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left_over.gif	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00799_.WMF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\how_to_back_files.html	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL092.XML	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105338.WMF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285698.WMF	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\STSCOPY.DLL	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libd3d11va_plugin.dll	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo	f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe

C:\Users\Admin\AppData\Local\Temp\f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe
"C:\Users\Admin\AppData\Local\Temp\f433f2bb54439aef2f42823d954bcd61a7b3e537b220cc7f8028ab49faa5c01b.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3948302646-268491222-1934009652-1000\desktop.ini

Filesize
1KB

MD5
7b794b5b2130c78e482d1a3507f39688

SHA1
e1255b85dc3266d8aebdc8fbc5259cae840ad26f

SHA256
5bad437af59ce0585b7ad2e75e19f26f9a683ca6bfba0c0bf9bcd3fa9f66ac01

SHA512
0b584bf1db7d1be2b88c900965ef15fc7d041d92aa4a42216597928cbb2cdfe1e48620d52904232823c3d0e2fa8526c4aa455b9dbce7cfa707b1acf0ba08714c

Download Submit
C:\Users\Public\Videos\Sample Videos\how_to_back_files.html

Filesize
4KB

MD5
fc2f0db342851e8c56453960fa49bff3

SHA1
7581a342d86955d819b8467691f2eed119b1e93e

SHA256
60ef69a23c4a25008803da85590440b0b953fa7faf00e9bbfe8fd6a1ce1856c1

SHA512
e11a67247f5156a55b232b664599697c1dfa3e912c70fb769bb23124709aa41a4e077e594e787d4c2361eb1aa2b10e111f2a925159c8ebd2de1d2ee9e30d0263

Download Submit
memory/1920-101-0x0000000000400000-0x000000000040E200-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads