globeimposter | 680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2

General

Target

680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
Size

53KB
MD5

0774b1ee36f43ed2350e2bdd4bdb3f36
SHA1

148a2b59389a9bf6a2c3e3cb6de841529a52efa3
SHA256

680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2
SHA512

dfaec3926c6ab545832a59dd64e997f20fc32dca133187bcea1cede8fa6772c040a670b1ee694baae5cdf3747b4e4ce4512a76f1ae867aac977f1e32d0a40afa

Score

10^/10

globeimposter locky persistence ransomware

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe"	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe

Drops desktop.ini file(s) 13 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe

C:\Users\Admin\AppData\Local\Temp\680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe
"C:\Users\Admin\AppData\Local\Temp\680b68bf2f022aea080cc2a864e591538daa5bab2022f373db567ab436263ac2.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
PID:308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-54-0x0000000076491000-0x0000000076493000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing