globeimposter | 59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

General

Target

star.exe
Size

360KB
MD5

2f121145ea11b36f9ade0cb8f319e40a
SHA1

d68049989ce98f71f6a562e439f6b6f0a165f003
SHA256

59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
SHA512

9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��94 20 4B A0 14 B9 8F B1 49 4A 51 19 AD A5 6E 22 4C 99 62 30 BF 0D E5 9F 90 73 E1 4D 84 F0 00 29 7C 42 F6 B2 03 8F 51 AC C7 74 84 83 5A A7 9C 4F A3 B2 E5 F0 5B C0 46 29 41 71 04 4B 68 B7 6E AD 33 11 FB EC 6A 3D A1 5E F6 EF E9 50 CB 60 3C 1C 69 B7 FF ED 59 C7 48 F9 68 C0 29 1A 30 54 A8 A3 3F 61 9D 2B 37 8F 23 AD 68 61 FE 75 44 9D 8D FF 18 8C 5D D7 93 17 23 86 B1 7D 69 1A F9 80 95 92 45 CE 77 95 2D 60 D7 AB 4F 56 BC 60 1C 9A D2 9C EC 12 B8 45 50 EE 2E C5 73 30 2E 96 29 AE 0C 76 17 8A A1 C5 0C 3C 0B 91 DF CF 6A 39 14 93 8E 0A 5E 1E 1B 13 5D 65 0A 38 E9 1D 1F D0 59 55 68 DF A9 3B D2 C3 9B 2E 0E 11 12 5B A0 78 DE 2E 0D 00 C8 C6 48 60 05 7B D2 4F F6 03 9B FD 84 8E C6 C1 6D 7C DC 11 3A 0A B9 13 E9 83 EF 01 BD B0 C2 10 00 41 6D 72 6D 6F 2D 4E B0 7D 86 B7 87 7E 8D 62

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RepairMeasure.tif => C:\Users\Admin\Pictures\RepairMeasure.tif.xls	star.exe
File renamed	C:\Users\Admin\Pictures\UnpublishConvertTo.tif => C:\Users\Admin\Pictures\UnpublishConvertTo.tif.xls	star.exe
File renamed	C:\Users\Admin\Pictures\MountUnblock.tif => C:\Users\Admin\Pictures\MountUnblock.tif.xls	star.exe
File renamed	C:\Users\Admin\Pictures\PingRead.crw => C:\Users\Admin\Pictures\PingRead.crw.xls	star.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	star.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe"	star.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	star.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	star.exe
File opened for modification	C:\Users\Public\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	star.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	star.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2344 set thread context of 4764	2344	star.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1544	schtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1544	2344	star.exe	99
PID 2344 wrote to memory of 1544	2344	star.exe	99
PID 2344 wrote to memory of 1544	2344	star.exe	99
PID 2344 wrote to memory of 4764	2344	star.exe	101
PID 2344 wrote to memory of 4764	2344	star.exe	101
PID 2344 wrote to memory of 4764	2344	star.exe	101
PID 2344 wrote to memory of 4764	2344	star.exe	101
PID 2344 wrote to memory of 4764	2344	star.exe	101
PID 2344 wrote to memory of 4764	2344	star.exe	101

C:\Users\Admin\AppData\Local\Temp\star.exe
"C:\Users\Admin\AppData\Local\Temp\star.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE55F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\star.exe
  "{path}"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE55F.tmp

Filesize
1KB

MD5
243998c586e102d5706d22e1ccdb5781

SHA1
a8326b85c94e9f68b6a92c45551933fb5d5fdb52

SHA256
4bcf513eb854417da91582ebb18b08b740bddb3fb6973f3693cbcf65c76b4331

SHA512
720376589d9dcd21c138f4725b66a8b604b3d6691c61c3c980cc0cead4184da328906e669497276caee719363cdf09c19d11c4a4729983a7a632c817c0ab642d

Download Submit
C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe

Filesize
360KB

MD5
57b076b700553392d4b27b8aec82086b

SHA1
916044c79d0f3db65bc4732877dee3e5dbfeaae2

SHA256
9ff43e411d773083b87f5f5814bf3497b5792e508c0fbede15f7231d2c3692c7

SHA512
5dd8744ea9710f533fc05512bd73c7dd8e5b47df96143724cd85acee6e0d4b4e2ab1baf3a00344195686b996e4c7351c64b97c487dc8aed005273b511f298ce9

Download Submit
memory/2344-133-0x0000000004CF0000-0x0000000004D82000-memory.dmp

Filesize
584KB

Download
memory/2344-134-0x0000000004C30000-0x0000000004C3A000-memory.dmp

Filesize
40KB

Download
memory/2344-135-0x0000000004E80000-0x0000000004ED6000-memory.dmp

Filesize
344KB

Download
memory/2344-130-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2344-132-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download
memory/2344-131-0x0000000004B90000-0x0000000004C2C000-memory.dmp

Filesize
624KB

Download
memory/4764-139-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4764-141-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4764-142-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads