globeimposter | 59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

General

Target

star.exe
Size

360KB
MD5

2f121145ea11b36f9ade0cb8f319e40a
SHA1

d68049989ce98f71f6a562e439f6b6f0a165f003
SHA256

59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
SHA512

9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score

10^/10

globeimposter persistence ransomware

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��3D 0D 1A 7A AF 47 27 8B 51 23 BF 0C 80 06 B7 59 78 E4 7A 0F 7D 20 83 17 1D DB BD DF 95 D0 61 B9 AD 2F 1F 62 F7 F4 77 08 A9 03 12 AE 42 B0 DF ED 87 81 BE 49 31 C5 5A C5 F3 31 7D 80 64 91 21 3D ED E4 F4 AD 6A 4D FA 0D 26 1F 1F A1 A1 AB F5 F9 93 D4 EE 11 4F 07 7D E4 90 C3 37 B2 00 4E B0 59 EF CE 24 A3 73 D7 E5 3F D8 6A 3E CF B8 3B 81 C6 82 D0 31 F9 96 54 C5 64 B6 39 66 F3 6F 92 E3 1C 95 74 BD DB 03 01 D4 9D D5 B4 82 F2 5B 12 67 69 19 CC E1 03 6B F5 96 66 E4 1D 35 A7 35 FA 2D CA 7B 2F C8 B1 A5 0D 7F 0A 47 29 BF 97 CC 54 9F B2 D7 74 D7 E8 A2 C2 21 31 15 44 AD 3B EE 31 8C 9E C5 98 B6 D7 E8 20 28 A0 A8 21 CC 14 44 70 D9 EF 53 B5 B6 5F A9 0E 3C E6 F4 67 23 DE 77 B6 5B 9C D3 79 3A 74 7D AA B6 EB 01 FE D2 57 C4 0B B3 87 DD 63 C3 AE 7D 33 BC 4B F2 30 75 5A 88 29 47 5D

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	star.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	star.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe"	star.exe

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	star.exe
File opened for modification	C:\Users\Public\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	star.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	star.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1832 set thread context of 3832	1832	star.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1232	schtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1232	1832	star.exe	86
PID 1832 wrote to memory of 1232	1832	star.exe	86
PID 1832 wrote to memory of 1232	1832	star.exe	86
PID 1832 wrote to memory of 3832	1832	star.exe	89
PID 1832 wrote to memory of 3832	1832	star.exe	89
PID 1832 wrote to memory of 3832	1832	star.exe	89
PID 1832 wrote to memory of 3832	1832	star.exe	89
PID 1832 wrote to memory of 3832	1832	star.exe	89
PID 1832 wrote to memory of 3832	1832	star.exe	89

C:\Users\Admin\AppData\Local\Temp\star.exe
"C:\Users\Admin\AppData\Local\Temp\star.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA345.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\star.exe
  "{path}"
  2⤵
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  PID:3832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA345.tmp

Filesize
1KB

MD5
a140b0e5062c89d008506078cc40d719

SHA1
4cb33bbf1e51c83d8f2a41609d9b8f7fdfd586c4

SHA256
64bedecbca9b6ade27a038f019ab74b887018e95c1af10d0c78f64930bf557b4

SHA512
fbd8b9358611c6c3a1c2f7dd8869507e99444d534f81b7115b9a66b5782e8500416415d665b51c153dc49202c23cf007a43dd7266534eb8f86c34307d72be8df

Download Submit
memory/1832-130-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1832-131-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/1832-132-0x00000000055C0000-0x0000000005B64000-memory.dmp

Filesize
5.6MB

Download
memory/1832-133-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/1832-134-0x0000000005010000-0x000000000501A000-memory.dmp

Filesize
40KB

Download
memory/1832-135-0x0000000005270000-0x00000000052C6000-memory.dmp

Filesize
344KB

Download
memory/3832-139-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3832-141-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3832-142-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads