globeimposter | 36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd

General

Target

2c72015e22b53c215403979536bce826.exe
Size

454KB
MD5

2c72015e22b53c215403979536bce826
SHA1

39eb8e3c2cef23d1c7a3f5c3133f40ecc98c1cf1
SHA256

36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd
SHA512

0d2e590b0c32de661ab94c0f7a0eccbbc2bac637120b0148e04b05a826ca5858e6d147e0011bd5094f260e5ff0d3dafbf9bc2c4df099adc3ac5c98d50b6df4b1

Score

10^/10

globeimposter ransomware

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��4A 2C 23 EC 6B 16 FD C4 53 3D 6C F2 40 A7 4A 3E A8 34 C7 46 41 4C 94 1F 78 35 77 29 A8 8C D7 37 00 E8 49 AE 66 98 AF 14 E4 19 2F B4 C0 A0 48 AB D2 F5 9E 77 82 00 F5 AA A1 60 E0 2B 02 5A 52 57 10 5D 8B 8E 80 06 CD 80 82 79 CC 55 6E 19 80 CC 2F 80 ED 9F 5B DA 69 29 77 6F E5 E7 8E E4 67 9F 06 92 7A 2D DE 3E 3B E7 6E 5B EA D7 DB F6 9E 2F 9B 80 0D 50 56 E5 E0 CA 8A DA DF F8 07 B3 DC 22 B6 5D A9 3A 74 50 B1 E1 B6 87 76 6D 9A 6F FE 4D 3D D6 D7 DD 3B C3 0B 81 61 87 2E B9 47 9E 9B 71 91 0B 98 0E FF B4 9C 21 A4 90 04 A0 B2 5F 1A 77 B7 FA 22 6D DA 15 B4 BA A9 57 E3 B1 96 A3 CB C8 E3 A2 86 47 47 AB B7 17 90 D0 AE 44 46 D3 4F 49 41 78 D4 51 4E 4B 5B 40 FC E3 E3 C4 B3 1C F0 4F F1 19 DD 90 0C D5 63 FF DF 8D 79 51 61 16 AD 5A A1 87 C2 20 34 FF 87 30 6B BA 55 09 C4 2B E6 4F

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ngen.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ResetSkip.crw => C:\Users\Admin\Pictures\ResetSkip.crw.xls	ngen.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveDeny.tiff	ngen.exe
File renamed	C:\Users\Admin\Pictures\RemoveDeny.tiff => C:\Users\Admin\Pictures\RemoveDeny.tiff.xls	ngen.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

ngen.exe

description	ioc	process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ngen.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	ngen.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ngen.exe
File opened for modification	C:\Program Files\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	ngen.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ngen.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ngen.exe
File opened for modification	C:\Users\Public\desktop.ini	ngen.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	ngen.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	ngen.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ngen.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	ngen.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ngen.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2c72015e22b53c215403979536bce826.exe

description pid process target process

PID 3140 set thread context of 1316 3140 2c72015e22b53c215403979536bce826.exe ngen.exe

description	pid	process	target process
PID 3140 set thread context of 1316	3140	2c72015e22b53c215403979536bce826.exe	ngen.exe

Drops file in Program Files directory 64 IoCs

Processes:

ngen.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\jquery.ui.touch-punch.js	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LargeKlondikeTile.jpg	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms	ngen.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\read-me.txt	ngen.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_opencarat_18.svg	ngen.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML	ngen.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\mc.jar	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-256.png	ngen.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\toivo.png	ngen.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\MedTile.scale-125.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\iq_60x42.png	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms	ngen.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\read-me.txt	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\LargeTile.scale-125.png	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll	ngen.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_sv_135x40.svg	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\OneNoteAppContracts.dll	ngen.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-white.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gd_60x42.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1249_36x36x32.png	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.scale-200.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\so_16x11.png	ngen.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\ui-strings.js	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-32.png	ngen.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Sign_White@1x.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-white_scale-200.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-US.PhoneNumber.SMS.model	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxSignature.p7x	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-125_contrast-black.png	ngen.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\read-me.txt	ngen.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\read-me.txt	ngen.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x_2x.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.8883896e.pri	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml	ngen.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml	ngen.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8794_24x24x32.png	ngen.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\ui-strings.js	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\powerpointmui.msi.16.en-us.vreg.dat	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-20_altform-unplated.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Western.jpg	ngen.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\ui-strings.js	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-60_altform-unplated_contrast-white.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.PostalAddress.model	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sd_60x42.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Square310x310Logo.scale-100.png	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML	ngen.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar	ngen.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\ui-strings.js	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated_contrast-white.png	ngen.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\ui-strings.js	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\SmallTile.scale-100.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-250.png	ngen.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-125.png	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL	ngen.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ppd.xrm-ms	ngen.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2c72015e22b53c215403979536bce826.exe

pid process

3140 2c72015e22b53c215403979536bce826.exe
3140 2c72015e22b53c215403979536bce826.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

ngen.exe

pid process

1316 ngen.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2c72015e22b53c215403979536bce826.exe

description pid process

Token: SeDebugPrivilege 3140 2c72015e22b53c215403979536bce826.exe

pid	process
3140	2c72015e22b53c215403979536bce826.exe
3140	2c72015e22b53c215403979536bce826.exe

pid	process
1316	ngen.exe

description	pid	process
Token: SeDebugPrivilege	3140	2c72015e22b53c215403979536bce826.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

2c72015e22b53c215403979536bce826.exe

description	pid	process	target process
PID 3140 wrote to memory of 1316	3140	2c72015e22b53c215403979536bce826.exe	ngen.exe
PID 3140 wrote to memory of 1316	3140	2c72015e22b53c215403979536bce826.exe	ngen.exe
PID 3140 wrote to memory of 1316	3140	2c72015e22b53c215403979536bce826.exe	ngen.exe
PID 3140 wrote to memory of 1316	3140	2c72015e22b53c215403979536bce826.exe	ngen.exe
PID 3140 wrote to memory of 1316	3140	2c72015e22b53c215403979536bce826.exe	ngen.exe
PID 3140 wrote to memory of 1316	3140	2c72015e22b53c215403979536bce826.exe	ngen.exe
PID 3140 wrote to memory of 1316	3140	2c72015e22b53c215403979536bce826.exe	ngen.exe

C:\Users\Admin\AppData\Local\Temp\2c72015e22b53c215403979536bce826.exe
"C:\Users\Admin\AppData\Local\Temp\2c72015e22b53c215403979536bce826.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
2⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
PID:1316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1316-124-0x0000000000409F20-mapping.dmp

Download
memory/1316-127-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1316-126-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1316-125-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1316-123-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3140-118-0x0000000003080000-0x000000000311C000-memory.dmp

Filesize
624KB

Download
memory/3140-121-0x0000000006A80000-0x0000000006A8D000-memory.dmp

Filesize
52KB

Download
memory/3140-122-0x0000000006B80000-0x0000000006BA3000-memory.dmp

Filesize
140KB

Download
memory/3140-120-0x00000000058D0000-0x0000000005950000-memory.dmp

Filesize
512KB

Download
memory/3140-119-0x00000000030C0000-0x00000000030F8000-memory.dmp

Filesize
224KB

Download
memory/3140-115-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3140-117-0x0000000003090000-0x0000000003093000-memory.dmp

Filesize
12KB

Download
memory/3140-116-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads