Overview

overview

10

Static

static

656a5cfc0f...6e.exe

windows7_x64

10

656a5cfc0f...6e.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    656a5cfc0f176a53f5da1635497c886e

  • Size

    1.9MB

  • Sample

    211205-kmkxnafaa7

  • MD5

    656a5cfc0f176a53f5da1635497c886e

  • SHA1

    1934b132e695562df0d36dd8df13dd2e47aadd35

  • SHA256

    a7f49d965383c1d18343a3469f482820f41ea3d8a908d3e8cf43de0c20aa7442

  • SHA512

    c21c16394350e3c0f1602ab128970af66b36a343f6644a60f3ded030f067003eb70f4dca12eb445ebd7131187b97d2ea97ecbab3d9df2978e0f07dc100d8d0bb

Score
10/10
globeimposterevasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���75 81 52 6D F8 87 37 7D AA 23 33 AC 8D 5E A6 19 13 44 7F ED B9 39 B5 D8 88 DD 6C 97 0A 4A 60 A8 2F E9 19 0D 04 62 C9 0A 43 80 91 EE 4F 1B 2B 6F 47 8E A2 45 54 86 F5 3C BB ED A7 14 47 01 37 F4 2A 11 F0 57 D0 44 06 E1 CD DA 84 AD F2 5F 6D 33 3C D9 16 63 FF 1F A1 AD 0B 3E 49 7D 77 45 6B 5A 4E 88 4C 36 0F 15 7D F2 6B 0F 82 5D 93 9A 07 FD 82 B1 83 50 F1 E8 97 9C 82 99 B2 EE 5A E7 23 F2 B1 F6 98 49 E5 C5 B2 31 B2 08 51 53 74 04 B1 F1 15 21 E9 BB 8A CE 69 C9 18 5C E6 9B BC 2B E9 86 53 CB 60 EE 6E 50 B5 EB 0A 2A 2C 58 53 49 D3 5A 30 DA ED 72 4C DD 14 3C 1B 75 90 22 7A 89 5F 94 13 42 A6 7F 8D E8 CB 92 BB 35 43 8D 56 22 F5 A1 B2 0C B2 56 E3 DD 00 65 31 D1 10 20 3F 9A CA EC C7 59 29 5C 91 9D 9F 4B F9 03 9E B9 DA 84 42 70 30 ED 69 9F D0 7A 84 87 F6 70 85 0F AA 48 73 6F
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      656a5cfc0f176a53f5da1635497c886e

    • Size

      1.9MB

    • MD5

      656a5cfc0f176a53f5da1635497c886e

    • SHA1

      1934b132e695562df0d36dd8df13dd2e47aadd35

    • SHA256

      a7f49d965383c1d18343a3469f482820f41ea3d8a908d3e8cf43de0c20aa7442

    • SHA512

      c21c16394350e3c0f1602ab128970af66b36a343f6644a60f3ded030f067003eb70f4dca12eb445ebd7131187b97d2ea97ecbab3d9df2978e0f07dc100d8d0bb

    Score
    10/10
    globeimposterevasionpersistenceransomwaretrojan

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Windows security bypass

      evasiontrojan

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks