globeimposter | 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd

General

Target

36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe
Size

454KB
MD5

2c72015e22b53c215403979536bce826
SHA1

39eb8e3c2cef23d1c7a3f5c3133f40ecc98c1cf1
SHA256

36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd
SHA512

0d2e590b0c32de661ab94c0f7a0eccbbc2bac637120b0148e04b05a826ca5858e6d147e0011bd5094f260e5ff0d3dafbf9bc2c4df099adc3ac5c98d50b6df4b1
SSDEEP

6144:ARkz9/pOuAXNjskDoLHq/97BJBNcplFbs4NhulBngyAyLo59QeW:AK5ppmNjluHqVVxcFbsK8fnrS9Q

Score

10^/10

globeimposter ransomware

Malware Config

Extracted

Path

C:\Users\Public\Videos\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��87 05 F7 ED D5 BA 3A 12 80 DF 45 48 48 89 A2 C4 B6 3B 56 4B 60 76 67 7C F9 5B 18 0D 6D CC BC 41 45 05 C1 32 FD CF 6C 56 92 45 4F 6A B2 09 4E 9E FF B9 1E AE EF 93 79 29 B3 B2 94 61 AA 57 DE D8 FF 06 6B D5 2C 78 FA C4 87 56 31 2D 8E 59 74 C8 6B F0 29 FF D6 26 FE 32 6A CA 10 E6 A1 DB 0C AC 92 D6 3E DB 59 84 0E AB 2C EF 8A 04 92 ED B0 EA CE 97 4C 18 11 7D 0D 62 69 23 23 1F 94 4F 9B EB 66 2A 8D AB A8 09 97 5E F4 E1 F0 02 A6 32 9D 21 12 1E 2E C9 BD 05 DE D2 CB 97 79 FA F4 DA D8 80 D6 31 4A E5 32 1F A5 54 9B A2 BA AF E9 A4 5B D7 75 79 73 48 2D 1F E5 D6 2D AC 8C 64 69 8B BC B9 EB 09 6E 1D 0B A2 62 E0 4B 52 22 CA F1 77 72 10 03 8C 86 F4 D8 69 5C 64 A0 6E 47 D8 9B 52 40 77 9F 66 81 F8 49 5C 70 0E 5B D2 E6 B6 91 79 B8 F0 48 B8 27 64 E3 FE BD 39 47 41 5A D8 5E 3B F5 80

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Renames multiple (4434) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 27 IoCs

Processes:

aspnet_regiis.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	aspnet_regiis.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3229154902-1540650024-2860248029-1000\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Program Files\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Public\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	aspnet_regiis.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	aspnet_regiis.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe

description	pid	process	target process
PID 4144 set thread context of 4768	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe	aspnet_regiis.exe

Drops file in Program Files directory 64 IoCs

Processes:

aspnet_regiis.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-100.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\nf_16x11.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-200.png	aspnet_regiis.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\read-me.txt	aspnet_regiis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\ui-strings.js	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\ui-strings.js	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\example_icons2x.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SpotlightMailHxS_2016-09.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ru_16x11.png	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\ui-strings.js	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\166.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_mmx_plugin.dll	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\load-typekit.js	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\ClrCompression.dll	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-100.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-24_altform-unplated_contrast-black.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-400.png	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\selector.js	aspnet_regiis.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\read-me.txt	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-unplated.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\my_16x11.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookMedTile.scale-200.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_EyeLookingUp.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\XMLOffKeys\Keys_OffVerOOBE.xml	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	aspnet_regiis.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\read-me.txt	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-synch-l1-2-0.dll	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_trending.targetsize-48.png	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\fr-FR.PhoneNumber.ot	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\la_60x42.png	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\ui-strings.js	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\ui-strings.js	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\es-ES.PhoneNumber.ot	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\plugin.js	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-200.png	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\ui-strings.js	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\LargeTile.scale-200.png	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif	aspnet_regiis.exe
File opened for modification	C:\Program Files\SuspendOpen.xps	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-200.png	aspnet_regiis.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\read-me.txt	aspnet_regiis.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\read-me.txt	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\freecell\Alcatraz_Escape_.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-unplated_contrast-white.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailWideTile.scale-125.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-fullcolor.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\rt3d.dll	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info2x.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\MedTile.scale-100.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailWideTile.scale-100.png	aspnet_regiis.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40.png	aspnet_regiis.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\read-me.txt	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js	aspnet_regiis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif	aspnet_regiis.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe

pid	process
4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe
4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

aspnet_regiis.exe

pid process

4768 aspnet_regiis.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe

description pid process

Token: SeDebugPrivilege 4144 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

4808 NOTEPAD.EXE

pid	process
4768	aspnet_regiis.exe

description	pid	process
Token: SeDebugPrivilege	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe

pid	process
4808	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe

description	pid	process	target process
PID 4144 wrote to memory of 2744	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe	cvtres.exe
PID 4144 wrote to memory of 2744	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe	cvtres.exe
PID 4144 wrote to memory of 2744	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe	cvtres.exe
PID 4144 wrote to memory of 4768	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe	aspnet_regiis.exe
PID 4144 wrote to memory of 4768	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe	aspnet_regiis.exe
PID 4144 wrote to memory of 4768	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe	aspnet_regiis.exe
PID 4144 wrote to memory of 4768	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe	aspnet_regiis.exe
PID 4144 wrote to memory of 4768	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe	aspnet_regiis.exe
PID 4144 wrote to memory of 4768	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe	aspnet_regiis.exe
PID 4144 wrote to memory of 4768	4144	36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe	aspnet_regiis.exe

C:\Users\Admin\AppData\Local\Temp\36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe
"C:\Users\Admin\AppData\Local\Temp\36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
2⤵
PID:2744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
2⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
PID:4768

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\read-me.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:4808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\read-me.txt

Filesize
1KB

MD5
d8ff7d391a35d72b68f580a950fd9fd7

SHA1
ac9178b2641e38ee8e9f20856cfe03e0d0f28d93

SHA256
e29a33c8864cb0c20becb82b2cc8da1140f4f7448d5cf294f9b2ea48118e006c

SHA512
ba0530dc2370dfb351729c48bc0ca458afa0c2986538faaabb2686dc5eeb10e443ff3aaa956d7232576f2c270a4950f5aa76e194f2df9321209955ae7b863b43

Download Submit
C:\Users\Public\Videos\read-me.txt

Filesize
1KB

MD5
d8ff7d391a35d72b68f580a950fd9fd7

SHA1
ac9178b2641e38ee8e9f20856cfe03e0d0f28d93

SHA256
e29a33c8864cb0c20becb82b2cc8da1140f4f7448d5cf294f9b2ea48118e006c

SHA512
ba0530dc2370dfb351729c48bc0ca458afa0c2986538faaabb2686dc5eeb10e443ff3aaa956d7232576f2c270a4950f5aa76e194f2df9321209955ae7b863b43

Download Submit
memory/4144-16-0x0000000000DC0000-0x0000000000DCE000-memory.dmp

Filesize
56KB

Download
memory/4144-9-0x0000000000D90000-0x0000000000D9E000-memory.dmp

Filesize
56KB

Download
memory/4144-4-0x0000000002830000-0x0000000002838000-memory.dmp

Filesize
32KB

Download
memory/4144-18-0x0000000006270000-0x0000000006278000-memory.dmp

Filesize
32KB

Download
memory/4144-6-0x0000000004F70000-0x0000000004FF4000-memory.dmp

Filesize
528KB

Download
memory/4144-7-0x0000000006130000-0x000000000613F000-memory.dmp

Filesize
60KB

Download
memory/4144-8-0x0000000006230000-0x000000000623A000-memory.dmp

Filesize
40KB

Download
memory/4144-19-0x0000000006230000-0x000000000623A000-memory.dmp

Filesize
40KB

Download
memory/4144-10-0x0000000000DA0000-0x0000000000DCC000-memory.dmp

Filesize
176KB

Download
memory/4144-11-0x0000000000E00000-0x0000000000E2C000-memory.dmp

Filesize
176KB

Download
memory/4144-12-0x00000000062A0000-0x00000000062DC000-memory.dmp

Filesize
240KB

Download
memory/4144-13-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

Filesize
56KB

Download
memory/4144-14-0x00000000063A0000-0x000000000645A000-memory.dmp

Filesize
744KB

Download
memory/4144-20-0x0000000006280000-0x000000000628A000-memory.dmp

Filesize
40KB

Download
memory/4144-0-0x00000000004D0000-0x0000000000548000-memory.dmp

Filesize
480KB

Download
memory/4144-17-0x0000000006230000-0x0000000006238000-memory.dmp

Filesize
32KB

Download
memory/4144-5-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/4144-3-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/4144-15-0x0000000000DE0000-0x0000000000DFC000-memory.dmp

Filesize
112KB

Download
memory/4144-21-0x00000000062E0000-0x0000000006320000-memory.dmp

Filesize
256KB

Download
memory/4144-22-0x0000000006360000-0x00000000063A0000-memory.dmp

Filesize
256KB

Download
memory/4144-23-0x0000000006300000-0x000000000631A000-memory.dmp

Filesize
104KB

Download
memory/4144-24-0x00000000065C0000-0x000000000671A000-memory.dmp

Filesize
1.4MB

Download
memory/4144-25-0x0000000006320000-0x0000000006336000-memory.dmp

Filesize
88KB

Download
memory/4144-26-0x0000000006340000-0x0000000006354000-memory.dmp

Filesize
80KB

Download
memory/4144-27-0x0000000006470000-0x000000000647C000-memory.dmp

Filesize
48KB

Download
memory/4144-1-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/4144-179-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/4144-2-0x0000000004D20000-0x0000000004DBC000-memory.dmp

Filesize
624KB

Download
memory/4768-36-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4768-33-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4768-32-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4768-28-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads