globeimposter | 59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-05-2022 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

star.exe
Size

360KB
MD5

2f121145ea11b36f9ade0cb8f319e40a
SHA1

d68049989ce98f71f6a562e439f6b6f0a165f003
SHA256

59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
SHA512

9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��67 43 6C 7D 19 38 B0 5D AC B7 66 0C 4A 04 55 36 8C A7 C5 3D 6E A3 18 E9 76 7D 60 E0 9A D7 53 4A A4 37 1C 65 87 06 2A 99 7F 92 CF B9 D9 48 94 C9 61 8E 04 B2 C1 75 B8 01 6F 2E 79 43 47 83 37 2E 22 67 15 08 3B F7 D4 46 74 D5 52 9A D2 F4 12 59 0C 80 97 66 F6 20 44 D8 0E 99 9E 17 60 98 D8 95 25 8A 94 CF D9 9A 53 B8 2E 8C F8 B9 68 D7 79 45 69 92 C0 EA 27 1F 69 F5 DF C9 4D 25 ED AD CF 17 AC E7 38 AF BF C7 C5 44 5E 48 60 2C 5D A6 C1 85 95 36 FA 92 00 31 20 50 41 DE 6C A9 DD 32 50 70 1F 48 3D 01 15 76 C0 A1 4E DB 58 F1 E6 57 64 6F 99 C8 6C 95 91 C0 22 9A 01 9D F2 4D 3F 9C 46 45 F7 3A A1 E8 E8 53 8D 73 A8 55 2C 47 61 ED 09 A4 F3 4F 99 8A 4F A4 3F 7E 5F AA 1F A4 B4 35 21 82 76 28 FE 6B 6B 51 25 0A 70 E3 52 CC 38 C8 FF ED 6B CC 6A 2A 0E CE B7 3D 5C 2F C0 3B 5E 2C A2 92

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ExitPop.png => C:\Users\Admin\Pictures\ExitPop.png.xls	star.exe
File opened for modification	C:\Users\Admin\Pictures\MountRevoke.tiff	star.exe
File renamed	C:\Users\Admin\Pictures\MountRevoke.tiff => C:\Users\Admin\Pictures\MountRevoke.tiff.xls	star.exe
File renamed	C:\Users\Admin\Pictures\PingMount.crw => C:\Users\Admin\Pictures\PingMount.crw.xls	star.exe
File renamed	C:\Users\Admin\Pictures\TestConnect.raw => C:\Users\Admin\Pictures\TestConnect.raw.xls	star.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	star.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe"	star.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	star.exe
File opened for modification	C:\Users\Public\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	star.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	star.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	star.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 1232	1800	star.exe	29

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00160_.WMF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0283209.GIF	star.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.Tools.Applications.Project.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif	star.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ContactPickerIntl.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00428_.WMF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51F.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+Connect to New Data Source.odc	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0295241.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04225_.WMF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\GWE.ICO	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49B.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14794_.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACTIP10.HLP	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanLetter.Dotx	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.DPV	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePage.gif	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18211_.WMF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Urban.eftx	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09194_.WMF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.DLL	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15018_.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Projects.accdt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01013_.WMF	star.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\oisctrl.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SPANISH.LNG	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\background.gif	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18205_.WMF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PSTPRX32.DLL	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESP.CFG	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Public_Primary_CA.cer	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00040_.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_ON.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXC	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\VelvetRose.css	star.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.XML	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.ES.XML	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Horizon.eftx	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086426.WMF	star.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1716	schtasks.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1716	1800	star.exe	27
PID 1800 wrote to memory of 1716	1800	star.exe	27
PID 1800 wrote to memory of 1716	1800	star.exe	27
PID 1800 wrote to memory of 1716	1800	star.exe	27
PID 1800 wrote to memory of 1232	1800	star.exe	29
PID 1800 wrote to memory of 1232	1800	star.exe	29
PID 1800 wrote to memory of 1232	1800	star.exe	29
PID 1800 wrote to memory of 1232	1800	star.exe	29
PID 1800 wrote to memory of 1232	1800	star.exe	29
PID 1800 wrote to memory of 1232	1800	star.exe	29
PID 1800 wrote to memory of 1232	1800	star.exe	29

C:\Users\Admin\AppData\Local\Temp\star.exe
"C:\Users\Admin\AppData\Local\Temp\star.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp697D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\star.exe
  "{path}"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  PID:1232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp697D.tmp

Filesize
1KB

MD5
b6923e4e3d518b37344300a5a9af0f4f

SHA1
35279530b84c8de57384bc0d9ef21034de6a2438

SHA256
7f606adc31e791d6e9e553ee4e10758ac53e534812f517a9e353da0ab12cba2d

SHA512
d5346240c2f32f203d20f2fb247311db09b81ea6e915bb0e34a8f53dff127e45e41259a4b471cf16a875434ddb7bc01adab2a91f0f9b6866ea4eedbc9bae4bb7

Download Submit
C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe

Filesize
360KB

MD5
ec4943ce19c3be5836d63c95e4f42434

SHA1
a0750225e2bb6f5d46f9cafe1fef54351c87567e

SHA256
be5e7f6b1d6976709847d1a31d17c02be52d851b982366c36cc041e4c07e5e2e

SHA512
202fb96558e701c6e41bedf4f477605a93c23f2e5d80369f93b18b860a56ec37036580be6ae28f9fe8f385c913a69db723117f2652dc89e18eb1aef9a0501e72

Download Submit
memory/1232-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1232-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1232-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1232-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1232-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1800-57-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/1800-58-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/1800-56-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/1800-54-0x00000000001C0000-0x0000000000220000-memory.dmp

Filesize
384KB

Download
memory/1800-55-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads