globeimposter | 067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3

General

Target

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
Size

267KB
MD5

7d67bbf0d095476eab63758fdc87fc59
SHA1

34adeff5d484e149ba5bcb6e24475c53fa2ae332
SHA256

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3
SHA512

b897fb073d25fd5dd052cf5733c40062d2c39649ce20d800ecbd1005f9d86e296c7e1a3455fc4251d24f2e9f45294b9a082ba28d9fbf410e9614c7bc514c7f84

Score

10^/10

globeimposter lockbit persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��80 4E 19 EB B4 97 3C A5 9C A9 99 BC 2C 5F 7C E4 97 8D B8 81 E3 98 FB 62 DD 00 D4 F9 6F CF 5D 9D 59 FE F6 D2 E7 58 C8 E3 D4 A1 D6 7E 67 B6 7F 6B 84 CD 9D CA A1 68 ED 3D FF 1C C4 ED D4 23 C8 FF D8 14 50 6D C1 70 86 1B FD 75 94 65 93 F6 E8 C7 5B 76 DD B5 B6 3E A4 B8 D2 BC E5 29 10 DE 98 C2 DE E5 52 D7 AC 8F 9A 4B A2 B3 96 91 11 41 1A AB 2A 9F F3 54 93 82 C5 E8 5C 20 AA 68 2E DA 96 CA F2 57 7E CC 4C 57 38 22 70 6A F2 30 16 CE D1 0F D9 8D FA 69 9F 9A 5D 1A 8C A4 ED C3 86 A3 12 D0 89 40 55 94 9E 47 3D 25 7F 92 B7 B2 93 59 7A 99 2B E2 2B 4A 42 DB 55 CE A9 27 BE 27 DA A3 68 6C EE 15 2B 87 89 BA 40 8D 56 2F 35 D2 B2 00 34 79 17 74 0D 3E 23 A3 FB 1A CB C1 76 BE B7 DF AA 8F 06 2D 4E 50 8C D4 7B 9B A1 88 C5 D2 4A 82 A7 BB 24 EF A1 AF D3 4B 8A DA C6 38 73 0B 78 76 7E 83 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Executes dropped EXE 1 IoCs

Processes:

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

pid	Process
1296	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\BackupGroup.raw => C:\Users\Admin\Pictures\BackupGroup.raw.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File renamed	C:\Users\Admin\Pictures\ExitTest.crw => C:\Users\Admin\Pictures\ExitTest.crw.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File renamed	C:\Users\Admin\Pictures\StepUse.crw => C:\Users\Admin\Pictures\StepUse.crw.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File renamed	C:\Users\Admin\Pictures\UseRename.tif => C:\Users\Admin\Pictures\UseRename.tif.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Loads dropped DLL 1 IoCs

Processes:

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

pid	Process
1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe"	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

description	pid	Process	procid_target
PID 1664 set thread context of 1296	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

Processes:

cmd.execmd.exe067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe\:Zone.Identifier:$DATA	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

description	pid	Process
Token: SeDebugPrivilege	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

description	pid	Process	procid_target
PID 1664 wrote to memory of 1940	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	28
PID 1664 wrote to memory of 1940	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	28
PID 1664 wrote to memory of 1940	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	28
PID 1664 wrote to memory of 1940	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	28
PID 1664 wrote to memory of 2000	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	30
PID 1664 wrote to memory of 2000	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	30
PID 1664 wrote to memory of 2000	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	30
PID 1664 wrote to memory of 2000	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	30
PID 1664 wrote to memory of 1296	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	32
PID 1664 wrote to memory of 1296	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	32
PID 1664 wrote to memory of 1296	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	32
PID 1664 wrote to memory of 1296	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	32
PID 1664 wrote to memory of 1296	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	32
PID 1664 wrote to memory of 1296	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	32
PID 1664 wrote to memory of 1296	1664	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	32

C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
"C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
  "C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - NTFS ADS
  PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Filesize
267KB

MD5
7d67bbf0d095476eab63758fdc87fc59

SHA1
34adeff5d484e149ba5bcb6e24475c53fa2ae332

SHA256
067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3

SHA512
b897fb073d25fd5dd052cf5733c40062d2c39649ce20d800ecbd1005f9d86e296c7e1a3455fc4251d24f2e9f45294b9a082ba28d9fbf410e9614c7bc514c7f84

Download Submit
\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Filesize
267KB

MD5
7d67bbf0d095476eab63758fdc87fc59

SHA1
34adeff5d484e149ba5bcb6e24475c53fa2ae332

SHA256
067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3

SHA512
b897fb073d25fd5dd052cf5733c40062d2c39649ce20d800ecbd1005f9d86e296c7e1a3455fc4251d24f2e9f45294b9a082ba28d9fbf410e9614c7bc514c7f84

Download Submit
memory/1296-89-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1296-86-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1296-82-0x0000000000409F20-mapping.dmp

Download
memory/1296-81-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1296-79-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1296-78-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1664-62-0x00000000715A0000-0x0000000071D80000-memory.dmp

Filesize
7.9MB

Download
memory/1664-75-0x0000000002020000-0x000000000202C000-memory.dmp

Filesize
48KB

Download
memory/1664-64-0x0000000070840000-0x0000000071596000-memory.dmp

Filesize
13.3MB

Download
memory/1664-55-0x0000000072790000-0x0000000073B1F000-memory.dmp

Filesize
19.6MB

Download
memory/1664-66-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/1664-67-0x0000000000A40000-0x0000000000A46000-memory.dmp

Filesize
24KB

Download
memory/1664-68-0x0000000070520000-0x000000007083B000-memory.dmp

Filesize
3.1MB

Download
memory/1664-69-0x0000000073FB0000-0x0000000073FEB000-memory.dmp

Filesize
236KB

Download
memory/1664-70-0x0000000073E10000-0x0000000073FA4000-memory.dmp

Filesize
1.6MB

Download
memory/1664-71-0x000000006F800000-0x000000007051D000-memory.dmp

Filesize
13.1MB

Download
memory/1664-72-0x0000000071D80000-0x0000000072790000-memory.dmp

Filesize
10.1MB

Download
memory/1664-73-0x00000000715A0000-0x0000000071D80000-memory.dmp

Filesize
7.9MB

Download
memory/1664-74-0x0000000070840000-0x0000000071596000-memory.dmp

Filesize
13.3MB

Download
memory/1664-63-0x0000000074010000-0x0000000074133000-memory.dmp

Filesize
1.1MB

Download
memory/1664-76-0x000000006F360000-0x000000006F531000-memory.dmp

Filesize
1.8MB

Download
memory/1664-54-0x0000000000A90000-0x0000000000AD8000-memory.dmp

Filesize
288KB

Download
memory/1664-61-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/1664-88-0x0000000073E10000-0x0000000073FA4000-memory.dmp

Filesize
1.6MB

Download
memory/1664-59-0x0000000075581000-0x0000000075583000-memory.dmp

Filesize
8KB

Download
memory/1664-58-0x0000000071D80000-0x0000000072790000-memory.dmp

Filesize
10.1MB

Download
memory/1664-57-0x0000000072790000-0x0000000073B1F000-memory.dmp

Filesize
19.6MB

Download
memory/1664-56-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/1664-87-0x0000000072790000-0x0000000073B1F000-memory.dmp

Filesize
19.6MB

Download
memory/1940-60-0x0000000000000000-mapping.dmp

Download
memory/2000-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads