globeimposter | c511c1a1978858cbd3383cdf4dcad8444fa5552d9204a635ace5905aa7227f3c

General

Target

39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
Size

51KB
MD5

e4e439fc5ade188ba2c69367ba6731b6
SHA1

d4b3b403b95d50a2feefa046441600e488b941f4
SHA256

39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde
SHA512

068d7ba1563bf528520a5106a99245896578ac88b0a3263383cdae8657403deba659c06f429dd83710d1f5afa324a49254dd68911382db71810f98a498e901e7

Score

10^/10

globeimposter persistence ransomware

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��AB 56 71 61 63 C8 F5 FF D7 62 3A 2F 56 0A 29 E6 C9 3E 9A 2E C6 63 2E CE 54 8D E8 C5 32 8C 39 3A D4 CC 96 5C 83 F9 D3 D2 36 D3 9B 94 DA 97 7F B5 BA 0C D0 A1 35 FE E7 B7 6A BE 9C B2 FE 39 84 07 1A D9 22 D9 62 0A C7 EF B7 47 F1 A7 46 C6 95 7B 27 B9 9F F0 58 27 F1 CD 25 C9 22 C6 2B D8 C7 9B 70 84 1D F2 B6 18 F2 91 5A 5E 74 0D 3B BC 70 9B F2 07 E3 41 A6 32 BC E2 7E FA AA 83 8C 90 EA 8D A0 70 15 7F EB 1F BA 1A DE E7 DE 54 E5 B2 76 C0 56 05 22 D7 88 05 8F 57 7B BF 31 E5 05 7A 29 0C D2 CA 2E 19 94 3C 9C 2D 07 EB E0 1D 16 52 35 96 A2 1F A6 22 80 A1 3F 19 16 8A 8E E6 48 D6 CF BD 1A 2D B1 42 78 0B 73 28 CD 57 D5 CD 7D 3B 67 B9 3C 1A BD A9 24 1F 0A 51 7C 15 1F 01 FB B2 68 65 1C EA BE BB AB 4B 1F 2A 2E C3 22 D5 43 5A 3D 91 3A 7C E7 D1 48 AE D0 85 ED 81 64 57 77 B0 EC 8B

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\WaitJoin.crw => C:\Users\Admin\Pictures\WaitJoin.crw.xls	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe"	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe

C:\Users\Admin\AppData\Local\Temp\39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe
"C:\Users\Admin\AppData\Local\Temp\39f5b60188d49196e6c10271a084a755f9553190898438b15107cdb950a4bbde.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1756-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing