globeimposter | 57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

General

Target

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
Size

235KB
MD5

beca53ebe027a5200ae7b0158f2d742b
SHA1

1af422f5bd6f4c4ba570fcd4b823c86f675af85b
SHA256

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
SHA512

82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

Score

10^/10

globeimposter lockbit persistence ransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��81 F3 2B 4E 00 18 D2 15 8C 11 F0 E9 EE 9F AE 9D 7B AD 77 A2 E5 08 5F DF 98 49 93 35 B1 39 59 2F 03 E7 60 DE B6 C2 BE FC 93 EF 44 57 64 70 BB 81 D4 6D FF A7 A6 61 0A 66 EB F7 90 E8 B9 56 32 01 A3 95 C9 37 CA 00 3B 5F 02 CC 0A 23 3F E9 16 8F B8 5B E9 AE 71 C3 B6 2D B0 D6 49 E6 1B E2 AA 67 A7 2D B3 3B 44 58 D8 EC 33 F6 CF 8A 9C 9A A7 26 4C 39 F1 AA D8 E9 6A 54 78 F2 26 D1 3C ED 22 B5 85 DB 67 77 FF DF 74 77 98 5F 29 10 A0 D7 33 6B E1 A1 A2 1B 25 4B 4C 40 2A AB 52 48 6B 06 73 F1 E5 9A BD F6 5F A9 4A 89 F2 7D 34 72 48 21 81 9F 2E 7F A8 E1 74 9F 50 5A 57 0B 3B 28 D9 37 B1 24 F8 74 62 DF D2 3A 1A C4 64 E9 55 ED 00 4C 42 E0 BC 50 E1 66 0F D2 FA A6 BB 48 C7 87 C6 F1 0E ED FE F1 C7 6A 91 EF C1 DB F1 AD 0A 67 D8 90 FC FF 6A 08 8D 97 D0 4E E3 F5 1A 90 5A 8B A5 5A 8B A3 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Executes dropped EXE 2 IoCs

pid	Process
1652	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
1784	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Loads dropped DLL 2 IoCs

pid	Process
1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Drops desktop.ini file(s) 12 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File opened for modification	C:\Users\Public\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 1784	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe\:Zone.Identifier:$DATA	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2044	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	29
PID 1064 wrote to memory of 2044	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	29
PID 1064 wrote to memory of 2044	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	29
PID 1064 wrote to memory of 2044	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	29
PID 1064 wrote to memory of 2016	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	31
PID 1064 wrote to memory of 2016	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	31
PID 1064 wrote to memory of 2016	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	31
PID 1064 wrote to memory of 2016	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	31
PID 1064 wrote to memory of 1652	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	32
PID 1064 wrote to memory of 1652	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	32
PID 1064 wrote to memory of 1652	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	32
PID 1064 wrote to memory of 1652	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	32
PID 1064 wrote to memory of 1784	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	33
PID 1064 wrote to memory of 1784	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	33
PID 1064 wrote to memory of 1784	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	33
PID 1064 wrote to memory of 1784	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	33
PID 1064 wrote to memory of 1784	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	33
PID 1064 wrote to memory of 1784	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	33
PID 1064 wrote to memory of 1784	1064	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	33

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
"C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
  "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
  "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - NTFS ADS
  PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Filesize
235KB

MD5
beca53ebe027a5200ae7b0158f2d742b

SHA1
1af422f5bd6f4c4ba570fcd4b823c86f675af85b

SHA256
57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

SHA512
82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

Download Submit
C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Filesize
235KB

MD5
beca53ebe027a5200ae7b0158f2d742b

SHA1
1af422f5bd6f4c4ba570fcd4b823c86f675af85b

SHA256
57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

SHA512
82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

Download Submit
\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Filesize
235KB

MD5
beca53ebe027a5200ae7b0158f2d742b

SHA1
1af422f5bd6f4c4ba570fcd4b823c86f675af85b

SHA256
57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

SHA512
82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

Download Submit
\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Filesize
235KB

MD5
beca53ebe027a5200ae7b0158f2d742b

SHA1
1af422f5bd6f4c4ba570fcd4b823c86f675af85b

SHA256
57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

SHA512
82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

Download Submit
memory/1064-58-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/1064-56-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1064-55-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/1064-61-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/1064-54-0x0000000000DB0000-0x0000000000DF2000-memory.dmp

Filesize
264KB

Download
memory/1064-60-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/1784-65-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1784-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1784-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1784-73-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1784-74-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing