Loading ...

Play interactive tourEdit tour

Windows Analysis Report Mm7Yq5V7Lu

Overview

General Information

Sample Name:Mm7Yq5V7Lu (renamed file extension from none to exe)
Analysis ID:548760
MD5:2f121145ea11b36f9ade0cb8f319e40a
SHA1:d68049989ce98f71f6a562e439f6b6f0a165f003
SHA256:59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

Globeimposter
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Globeimposter Ransomware
Yara detected AntiVM3
Found ransom note / readme
Multi AV Scanner detection for dropped file
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Mm7Yq5V7Lu.exe (PID: 3024 cmdline: "C:\Users\user\Desktop\Mm7Yq5V7Lu.exe" MD5: 2F121145EA11B36F9ADE0CB8F319E40A)
    • schtasks.exe (PID: 6936 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\user\AppData\Local\Temp\tmp3BD7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Mm7Yq5V7Lu.exe (PID: 6252 cmdline: {path} MD5: 2F121145EA11B36F9ADE0CB8F319E40A)
  • Mm7Yq5V7Lu.exe (PID: 6980 cmdline: "C:\Users\user\AppData\Local\Mm7Yq5V7Lu.exe" MD5: 2F121145EA11B36F9ADE0CB8F319E40A)
    • schtasks.exe (PID: 6664 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\user\AppData\Local\Temp\tmp9002.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Mm7Yq5V7Lu.exe (PID: 4528 cmdline: {path} MD5: 2F121145EA11B36F9ADE0CB8F319E40A)
    • Mm7Yq5V7Lu.exe (PID: 6796 cmdline: {path} MD5: 2F121145EA11B36F9ADE0CB8F319E40A)
  • Mm7Yq5V7Lu.exe (PID: 6856 cmdline: "C:\Users\user\AppData\Local\Mm7Yq5V7Lu.exe" MD5: 2F121145EA11B36F9ADE0CB8F319E40A)
    • schtasks.exe (PID: 4348 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\user\AppData\Local\Temp\tmpB7BE.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Mm7Yq5V7Lu.exe (PID: 6416 cmdline: {path} MD5: 2F121145EA11B36F9ADE0CB8F319E40A)
    • Mm7Yq5V7Lu.exe (PID: 6088 cmdline: {path} MD5: 2F121145EA11B36F9ADE0CB8F319E40A)
    • Mm7Yq5V7Lu.exe (PID: 3092 cmdline: {path} MD5: 2F121145EA11B36F9ADE0CB8F319E40A)
    • Mm7Yq5V7Lu.exe (PID: 5664 cmdline: {path} MD5: 2F121145EA11B36F9ADE0CB8F319E40A)
  • EXCEL.EXE (PID: 1964 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde MD5: 5D6638F2C8F8571C593999C58866007E)
  • notepad.exe (PID: 3176 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read-me.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • cleanup

Malware Configuration

Threatname: GlobeImposter

{"Ransom Note": "All your files are Encrypted!\r\nFor data recovery needs decryptor.\r\nHow to buy decryptor:\r\n----------------------------------------------------------------------------------------\r\n\r\n| 1. Download Tor browser - https://www.torproject.org/ and install it.\r\n\r\n| 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV\r\n               \r\n| 3. Create Ticket\r\n\r\n----------------------------------------------------------------------------------------\r\n\r\nNote! This link is available via Tor Browser only.\r\n\r\n------------------------------------------------------------\r\nor\r\nhttp://helpqvrg3cc5mvb3.onion/\r\n\r\nYour ID\r\n\r\n\u0000\u0000\u000067 0D B5 3D F6 72 46 45 EA F4 35 88 36 1B D3 0A\nA4 5C F3 89 B8 97 4A A6 3B 8D 1B 03 20 3F 20 FB\nA9 A9 BB F7 1D 8A 3E F3 F5 4C F1 75 40 F0 F9 40\nE7 0E 1A F5 A6 2C 34 4E EA 7E 57 FF C3 B0 D4 66\nC0 3A 96 97 4F D7 A5 2E F8 34 8C 85 9D 35 0D 82\n5C C4 72 95 44 72 E0 8C 13 47 E1 4B E4 06 9C 9C\n92 37 F5 A5 82 7E BD B8 8B 53 FC 81 5E 36 04 9D\n12 19 C5 B3 01 AC 42 2A DA 75 B7 FF E0 DC A7 A0\n72 7A 63 F5 DF D6 CF 9A 1F 22 EF B3 5F 90 95 5D\n30 CC D9 A2 AF 7F 0F F4 86 13 44 1F EF 77 E2 C0\nE2 CF CF 82 7A 3E E5 7A D3 02 EB 7B B0 30 B9 D2\nAC 29 2A AF EC C8 3D A9 AA B5 1D CE 27 B0 75 4C\n5F 0D FC 69 CA 00 78 C4 6A F5 D2 6A C8 7A BF 10\n6E 87 47 0F 27 E2 3D C8 E2 A9 71 09 DD A0 98 32\nE4 CF 64 F2 41 66 A4 8E FA DD 9C 6D 4A EF 7A F5\n79 91 A5 31 FC 9B 61 4E 9C 5D 08 F9 41 2A 1E 74\n"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\AccountPictures\read-me.txtJoeSecurity_GlobeimposterYara detected Globeimposter RansomwareJoe Security
    C:\Users\Public\AccountPictures\read-me.txtJoeSecurity_GlobeimposterYara detected Globeimposter RansomwareJoe Security
      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\read-me.txtJoeSecurity_GlobeimposterYara detected Globeimposter RansomwareJoe Security
        C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Code Cache\js\read-me.txtJoeSecurity_GlobeimposterYara detected Globeimposter RansomwareJoe Security
          C:\Users\Public\AccountPictures\read-me.txtJoeSecurity_GlobeimposterYara detected Globeimposter RansomwareJoe Security