globeimposter | 94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8

General

Target

94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe
Size

53KB
MD5

471195021b3b1cd7d722a8d205aab53b
SHA1

c57dfae41f9c874334fa69407c5330da2a6450a1
SHA256

94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8
SHA512

5a3bced657339320b35d8b2b66573e0ab30b343325d453992ad725724025aced40688326164b55d6db748f63bde57a2b69a7ae730804a42f9839adbf373793a1

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��41 91 61 C9 8C 93 5E B1 09 75 A6 CD BE 59 7C C0 5C EC FB 3A E6 9E A4 AB 63 86 79 D4 06 5F 02 84 8F D5 F2 80 AE 9D 36 D4 F6 96 16 F4 54 08 92 B6 56 56 1B AA FA 85 1A 9D 2D BF E1 64 B8 E6 5C 8D 5F 5D E1 F9 1E A2 84 9B 14 DB 39 4E 3C 75 53 92 A2 B4 A9 A7 EA 44 22 59 76 7E B1 A1 D9 0F E0 D5 83 9B 4D BB 7A 42 BF 1C FA 2F 52 F1 A7 CA 93 7B FA 4F CB FE 2E E7 97 1C ED C4 73 54 C3 D8 31 31 31 44 75 F6 D0 4B 82 54 2E 79 68 65 CC 3C BC 67 CA 72 10 43 9D D4 85 49 73 9B 38 7A 97 BA E5 D4 BE F6 18 52 08 BD 13 B4 41 CB AD E6 80 D2 67 B5 DA C6 78 03 03 B1 F0 E4 81 90 26 FA 04 78 F4 AC C7 98 12 25 9B 40 4C EA 2E 92 89 6D 48 C3 9E 19 D9 35 68 5E 29 BA 24 6C 69 34 C0 56 CC 65 F0 DC 4B E9 B4 92 82 E9 56 41 E1 45 07 44 4E E2 85 92 34 93 85 9B 50 C8 EE 20 32 05 95 BE 6C 98 38 E7 </span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html> ��

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AssertConvert.tiff => C:\Users\Admin\Pictures\AssertConvert.tiff.farataks	94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe
File renamed	C:\Users\Admin\Pictures\CloseRequest.raw => C:\Users\Admin\Pictures\CloseRequest.raw.farataks	94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe
File renamed	C:\Users\Admin\Pictures\EnterCompress.crw => C:\Users\Admin\Pictures\EnterCompress.crw.farataks	94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe
File renamed	C:\Users\Admin\Pictures\SearchGroup.crw => C:\Users\Admin\Pictures\SearchGroup.crw.farataks	94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe
File opened for modification	C:\Users\Admin\Pictures\UseFind.tiff	94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe
File renamed	C:\Users\Admin\Pictures\UseFind.tiff => C:\Users\Admin\Pictures\UseFind.tiff.farataks	94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe
File opened for modification	C:\Users\Admin\Pictures\AssertConvert.tiff	94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe
File renamed	C:\Users\Admin\Pictures\SaveTest.raw => C:\Users\Admin\Pictures\SaveTest.raw.farataks	94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe
File renamed	C:\Users\Admin\Pictures\JoinRename.raw => C:\Users\Admin\Pictures\JoinRename.raw.farataks	94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe"	94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4232	svchost.exe
Token: SeCreatePagefilePrivilege	4232	svchost.exe
Token: SeShutdownPrivilege	4232	svchost.exe
Token: SeCreatePagefilePrivilege	4232	svchost.exe
Token: SeShutdownPrivilege	4232	svchost.exe
Token: SeCreatePagefilePrivilege	4232	svchost.exe
Token: SeSecurityPrivilege	2508	TiWorker.exe
Token: SeRestorePrivilege	2508	TiWorker.exe
Token: SeBackupPrivilege	2508	TiWorker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1444	SearchApp.exe

C:\Users\Admin\AppData\Local\Temp\94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe
"C:\Users\Admin\AppData\Local\Temp\94b93af30a42a23610bf583c0a56d7b46b122f3f42e576d223d152d0247831a8.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:3616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3616-135-0x000001D618AC0000-0x000001D618AC4000-memory.dmp

Filesize
16KB

Download
memory/4232-130-0x000002C371B20000-0x000002C371B30000-memory.dmp

Filesize
64KB

Download
memory/4232-131-0x000002C371B80000-0x000002C371B90000-memory.dmp

Filesize
64KB

Download
memory/4232-132-0x000002C374230000-0x000002C374234000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing