Malware Analysis Report

2024-10-18 23:00

Sample ID 220507-e2bpmsbga5
Target star.exe
SHA256 59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
Tags
globeimposter persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

Threat Level: Known bad

The file star.exe was found to be: Known bad.

Malicious Activity Summary

globeimposter persistence ransomware

GlobeImposter

Modifies extensions of user files

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-07 04:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-07 04:25

Reported

2022-05-07 04:39

Platform

win7-20220414-en

Max time kernel

174s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\star.exe"

Signatures

GlobeImposter

ransomware globeimposter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CheckpointOpen.crw => C:\Users\Admin\Pictures\CheckpointOpen.crw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertFromWrite.raw => C:\Users\Admin\Pictures\ConvertFromWrite.raw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\RenameRedo.png => C:\Users\Admin\Pictures\RenameRedo.png.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\SelectUnprotect.raw => C:\Users\Admin\Pictures\SelectUnprotect.raw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectResolve.raw => C:\Users\Admin\Pictures\UnprotectResolve.raw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateEdit.crw => C:\Users\Admin\Pictures\UpdateEdit.crw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\ApproveSearch.tiff C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\ApproveSearch.tiff => C:\Users\Admin\Pictures\ApproveSearch.tiff.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\star.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe" C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1944 set thread context of 1088 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\star.exe

"C:\Users\Admin\AppData\Local\Temp\star.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp280B.tmp"

C:\Users\Admin\AppData\Local\Temp\star.exe

"{path}"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp

Files

memory/1944-54-0x0000000000820000-0x0000000000880000-memory.dmp

memory/1944-55-0x0000000075801000-0x0000000075803000-memory.dmp

memory/1944-56-0x0000000000390000-0x000000000039A000-memory.dmp

memory/1944-57-0x0000000004BE0000-0x0000000004C46000-memory.dmp

memory/1944-58-0x00000000006B0000-0x00000000006C2000-memory.dmp

memory/2008-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp280B.tmp

MD5 bb910ae88dc840ba6e45389ffe6c6196
SHA1 640c0e3a1e918c12255a51f16ab6bb5ece1e85a6
SHA256 68be26cec28d3e64f867678c40994352ad27b2e92c0c7db9fdaf068b290541ee
SHA512 e6b95310c5b3ad7553e9992ade23934e4ed128959702ca39b9c27cf5408517e1b2ca336a2823323aaf841ca04a793030cbd60af6d40ec15f728981c9bf840fb1

memory/1088-61-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1088-62-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1088-64-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1088-65-0x0000000000409F20-mapping.dmp

memory/1088-68-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1088-69-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-07 04:25

Reported

2022-05-07 04:39

Platform

win10v2004-20220414-en

Max time kernel

184s

Max time network

190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\star.exe"

Signatures

GlobeImposter

ransomware globeimposter

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\star.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe" C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1832 set thread context of 3832 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\star.exe

"C:\Users\Admin\AppData\Local\Temp\star.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA345.tmp"

C:\Users\Admin\AppData\Local\Temp\star.exe

"{path}"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/1832-130-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/1832-131-0x0000000004F70000-0x000000000500C000-memory.dmp

memory/1832-132-0x00000000055C0000-0x0000000005B64000-memory.dmp

memory/1832-133-0x00000000050B0000-0x0000000005142000-memory.dmp

memory/1832-134-0x0000000005010000-0x000000000501A000-memory.dmp

memory/1832-135-0x0000000005270000-0x00000000052C6000-memory.dmp

memory/1232-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA345.tmp

MD5 a140b0e5062c89d008506078cc40d719
SHA1 4cb33bbf1e51c83d8f2a41609d9b8f7fdfd586c4
SHA256 64bedecbca9b6ade27a038f019ab74b887018e95c1af10d0c78f64930bf557b4
SHA512 fbd8b9358611c6c3a1c2f7dd8869507e99444d534f81b7115b9a66b5782e8500416415d665b51c153dc49202c23cf007a43dd7266534eb8f86c34307d72be8df

memory/3832-138-0x0000000000000000-mapping.dmp

memory/3832-139-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3832-141-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3832-142-0x0000000000400000-0x000000000040E000-memory.dmp