globeimposter | a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a

Analysis

max time kernel
179s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
11-02-2022 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
Size

53KB
MD5

6f76f956cd44ed86f462c2a4c17a640e
SHA1

25b34ea3cdcc5b6e3f94f27dc250c2f3d8cbd43b
SHA256

a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a
SHA512

b95bc1a7a4c57a0849e8b0adb24996750bdb676208057d4a4b5c682662ab4903210bbf968b7aa37e8d8d2be2535495c75f2a28347b0b50ace1d695747f59df8a

Score

10^/10

globeimposter persistence ransomware

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��00 9F 81 09 D7 C2 AD D7 EA 7C 71 A1 E2 CC 83 CF 26 26 4F 23 F8 A4 06 0F 24 0D BF DD E5 CD E9 9D 2C 6B 21 A3 3B 79 F8 B6 CD 37 64 26 77 3E FB B2 E6 35 42 DD F8 77 52 93 73 22 54 0C ED D8 9D 27 95 20 70 6E 02 EE 9C 36 60 17 82 9E E9 56 67 61 AC DF 61 0C 37 A7 7F F1 A6 EF 3B AF DB 39 7F E6 91 F0 FF CA F2 8B 50 9B 5C 9B 2E 4C D1 DF B5 A9 1E 8E E3 2E BE A1 74 97 24 97 1A 80 09 D3 E6 8A 34 3F 79 A4 B2 51 BF 74 96 E5 A9 A4 F6 6E F3 D2 73 F6 47 0C 30 FF DF 5A 34 4C 92 DC 3D 9C C3 CB FC BD 26 CE C1 32 3E D3 9A 89 96 B5 0E AB 53 E8 E6 1D AC C1 D2 08 BE F0 E2 2E 3E 24 9B 04 2A 12 CE 98 AF 5E 41 55 0A 16 01 1A 9A 36 9A C8 9B 70 EA A9 8A C3 75 CA D3 FC 43 7E 00 3C 09 AE 2F B6 36 66 3B 50 66 8F B9 F4 DE F0 20 2A E3 80 AE 37 4C 4F 33 43 53 99 62 28 F7 2D 27 D7 BC 9D 5A 9D </span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="mailto:[email protected] ">[email protected] </a> <br><a href="mailto:[email protected]">[email protected]</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html> �

Emails

href="mailto:[email protected]

">[email protected]

href="mailto:[email protected]">[email protected]</a>

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConvertToStop.crw => C:\Users\Admin\Pictures\ConvertToStop.crw.deadfiles30	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File renamed	C:\Users\Admin\Pictures\DismountRead.png => C:\Users\Admin\Pictures\DismountRead.png.deadfiles30	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Pictures\EnterCheckpoint.tiff	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File renamed	C:\Users\Admin\Pictures\NewBackup.crw => C:\Users\Admin\Pictures\NewBackup.crw.deadfiles30	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File renamed	C:\Users\Admin\Pictures\SubmitRemove.raw => C:\Users\Admin\Pictures\SubmitRemove.raw.deadfiles30	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File renamed	C:\Users\Admin\Pictures\UpdateMeasure.crw => C:\Users\Admin\Pictures\UpdateMeasure.crw.deadfiles30	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File renamed	C:\Users\Admin\Pictures\EnterCheckpoint.tiff => C:\Users\Admin\Pictures\EnterCheckpoint.tiff.deadfiles30	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Pictures\InstallDismount.tiff	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File renamed	C:\Users\Admin\Pictures\InstallDismount.tiff => C:\Users\Admin\Pictures\InstallDismount.tiff.deadfiles30	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Pictures\RedoMove.tiff	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File renamed	C:\Users\Admin\Pictures\RedoMove.tiff => C:\Users\Admin\Pictures\RedoMove.tiff.deadfiles30	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File renamed	C:\Users\Admin\Pictures\RegisterStart.tif => C:\Users\Admin\Pictures\RegisterStart.tif.deadfiles30	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File renamed	C:\Users\Admin\Pictures\RequestDebug.raw => C:\Users\Admin\Pictures\RequestDebug.raw.deadfiles30	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe"	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe

Drops desktop.ini file(s) 20 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	912	svchost.exe
Token: SeCreatePagefilePrivilege	912	svchost.exe
Token: SeShutdownPrivilege	912	svchost.exe
Token: SeCreatePagefilePrivilege	912	svchost.exe
Token: SeShutdownPrivilege	912	svchost.exe
Token: SeCreatePagefilePrivilege	912	svchost.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe
Token: SeRestorePrivilege	1204	TiWorker.exe
Token: SeSecurityPrivilege	1204	TiWorker.exe
Token: SeBackupPrivilege	1204	TiWorker.exe

C:\Users\Admin\AppData\Local\Temp\a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe
"C:\Users\Admin\AppData\Local\Temp\a04845100beaa75790cb22a8ff02aa6f543fe9392fd82194f7d150c4b686de5a.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
PID:3480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-130-0x000001A494530000-0x000001A494540000-memory.dmp

Filesize
64KB

Download
memory/912-131-0x000001A494590000-0x000001A4945A0000-memory.dmp

Filesize
64KB

Download
memory/912-132-0x000001A497290000-0x000001A497294000-memory.dmp

Filesize
16KB

Download