Globeimposter Ransomware Delivered via Necurs Botnet | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-12-05 16:56 (UTC+1)
VM Analysis Duration Time 00:05:24
Execution Successful True
Sample Filename MSC000000981631.vbs
Command Line Parameters False
Prescript False
Number of Processes 14
Termination Reason Timeout
Reputation Enabled True
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON
VTI Information
VTI Score
100 / 100
VTI Database Version 2.6
VTI Rule Match Count 40
VTI Rule Type Scripts
Tags
#ransomware #globeimposter
Remarks
Critical The maximum number of extracted files was reached during the analysis. Some files may be missing in the reports. You can increase the limit in the configuration.
Critical The dump total size limit was reached during the analysis. Some memory dump may be missing in the reports. You can increase the limit in the configuration.
Critical The operating system was rebooted during the analysis.
Critical The maximum number of dumps was reached during the analysis. Some memory dumps may be missing in the reports. You can increase the limit in the configuration.
Screenshots
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xe98 Analysis Target High (Elevated) cscript.exe "C:\Windows\System32\CScript.exe" "C:\Users\CIIHMN~1\Desktop\MSC000~1.VBS" -
#3 0xf8c Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /c call "C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe" #1
#5 0xfac Child Process High (Elevated) vworbzlbc.exe "C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe" #3
#6 0xfe0 Child Process High (Elevated) vworbzlbc.exe "C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe" #5
#7 0xff4 Child Process High (Elevated) taskkill.exe taskkill /F /T /PID 2784 #6
#11 0xd40 Autostart Medium vworbzlbc.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe" -
#12 0xd94 Child Process Medium vworbzlbc.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe" #11
#13 0xe40 Child Process Medium cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\CIIHMN~1\AppData\Local\Temp\tmpAD23.tmp.bat #12
#15 0xe68 Child Process Medium cmd.exe "C:\Windows\system32\cmd.exe" /c del C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe > nul #12
#16 0xe74 Child Process Medium vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet #13
#17 0xe8c Child Process Medium reg.exe reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f #13
#18 0xe98 Child Process Medium reg.exe reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f #13
#19 0xea4 Child Process Medium reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" #13
#20 0xeb0 Child Process Medium attrib.exe attrib Default.rdp -s -h #13
Sample Information
ID #20392
MD5 Hash Value 22f0830e8954547036afb0df08283b18
SHA1 Hash Value d18a0df0bd2393221f0bbd17e48d6c4ac1ea28f6
SHA256 Hash Value 7a18bffd01eeab08a3f88d35ba5d09106690ea62d01e43d950b6b842ab6c4e76
Filename MSC000000981631.vbs
File Size 4.71 KB (4818 bytes)
File Type VBScript
Analyzer and Virtual Machine Information
Analyzer Version 2.2.0
Analyzer Build Date 2017-12-05 14:47
Internet Explorer Version 11.0.10240.16384
Chrome Version 58.0.3029.110
Firefox Version 53.0.3
Flash Version 25.0.0.148
Java Version 8.0.1310.11
VM Name win10_64
VM Architecture x86 64-bit
VM OS Windows 10 Threshold 1
VM Kernel Version 10.0.10240.16384 (c68ee22f-dcf6-4778-95c5-4a862be16567)
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image