globeimposter | 57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

General

Target

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
Size

235KB
MD5

beca53ebe027a5200ae7b0158f2d742b
SHA1

1af422f5bd6f4c4ba570fcd4b823c86f675af85b
SHA256

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53
SHA512

82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

Score

10^/10

globeimposter lockbit persistence ransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��83 41 3E D8 9A 2E 92 01 7A 7A 7B 5B 57 D8 D6 7E A7 3B FE E7 F9 42 6E 3D 79 6B B5 B8 F1 8F 12 F6 E3 1C 39 54 A9 CB A1 DD 78 BA 1E A3 B1 3D 29 1D 2A AA E1 79 CF 5F B8 FA 3A 5D 48 6E A0 A7 34 C1 DA FD 04 7D 31 47 93 37 70 63 D5 EF 1E A3 4A 19 B6 D5 C3 CB 7E EA 99 AA 25 66 02 A8 55 BD 54 83 84 6B B2 16 21 9B FD 5A 94 4F 86 03 28 F3 01 22 15 70 1E 2C 61 0E 6E E1 22 88 DA 55 BC AE 13 A3 83 84 8F 6A 77 D9 6C F3 59 17 96 C4 9E 50 14 C5 E7 B9 E1 3A 58 C0 29 42 8D 64 4A 73 55 9E EB D4 02 90 39 AC B9 4A E8 81 28 99 FA 55 5E 3A A5 DA B3 4B 60 8A 86 09 77 F3 08 82 59 08 B1 35 B1 BB 01 DC 4A 69 5F 36 6B A6 C7 D8 21 11 95 DE 6A 97 B7 C0 F5 A5 A6 E2 01 72 6B 5D 5E F3 1B 1F D8 45 B9 05 28 3B 1C 41 40 FF BE D7 5E 62 04 85 44 5B D7 6B E2 52 98 8D 9C 9D 1A 72 17 9C C6 24 84 E7 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Executes dropped EXE 2 IoCs

Processes:

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

pid	Process
212	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
1988	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

description	pid	Process	procid_target
PID 936 set thread context of 1988	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

Processes:

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.execmd.execmd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe\:Zone.Identifier:$DATA	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
File created	C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

description	pid	Process
Token: SeDebugPrivilege	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

description	pid	Process	procid_target
PID 936 wrote to memory of 3128	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	83
PID 936 wrote to memory of 3128	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	83
PID 936 wrote to memory of 3128	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	83
PID 936 wrote to memory of 1944	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	85
PID 936 wrote to memory of 1944	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	85
PID 936 wrote to memory of 1944	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	85
PID 936 wrote to memory of 212	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	92
PID 936 wrote to memory of 212	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	92
PID 936 wrote to memory of 212	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	92
PID 936 wrote to memory of 1988	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	93
PID 936 wrote to memory of 1988	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	93
PID 936 wrote to memory of 1988	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	93
PID 936 wrote to memory of 1988	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	93
PID 936 wrote to memory of 1988	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	93
PID 936 wrote to memory of 1988	936	57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe	93

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
"C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:3128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
  "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe
  "C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - NTFS ADS
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Filesize
235KB

MD5
beca53ebe027a5200ae7b0158f2d742b

SHA1
1af422f5bd6f4c4ba570fcd4b823c86f675af85b

SHA256
57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

SHA512
82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

Download Submit
C:\Users\Admin\AppData\Local\Temp\57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53.exe

Filesize
235KB

MD5
beca53ebe027a5200ae7b0158f2d742b

SHA1
1af422f5bd6f4c4ba570fcd4b823c86f675af85b

SHA256
57358385c4878e612c40af007a27ad7c1bfcd106a0fd07237fe5a8e0681bcd53

SHA512
82d92d315b8a2505d4af0590da25dbd78a6f1c8cbc37317dc6963b0e15b88fc935165b6390e29c9221ff2ee86050bf3d6ee6d0bbb6479f7fd501a9a47c92bf80

Download Submit
memory/212-139-0x0000000000000000-mapping.dmp

Download
memory/936-138-0x00000000014A0000-0x000000000153C000-memory.dmp

Filesize
624KB

Download
memory/936-134-0x0000000006210000-0x00000000063D2000-memory.dmp

Filesize
1.8MB

Download
memory/936-135-0x0000000006990000-0x0000000006F34000-memory.dmp

Filesize
5.6MB

Download
memory/936-137-0x0000000006150000-0x00000000061E2000-memory.dmp

Filesize
584KB

Download
memory/936-130-0x0000000000CC0000-0x0000000000D02000-memory.dmp

Filesize
264KB

Download
memory/936-132-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/936-131-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/1944-136-0x0000000000000000-mapping.dmp

Download
memory/1988-141-0x0000000000000000-mapping.dmp

Download
memory/1988-142-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1988-145-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1988-146-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3128-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads