globeimposter | 067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3

General

Target

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
Size

267KB
MD5

7d67bbf0d095476eab63758fdc87fc59
SHA1

34adeff5d484e149ba5bcb6e24475c53fa2ae332
SHA256

067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3
SHA512

b897fb073d25fd5dd052cf5733c40062d2c39649ce20d800ecbd1005f9d86e296c7e1a3455fc4251d24f2e9f45294b9a082ba28d9fbf410e9614c7bc514c7f84

Score

10^/10

globeimposter lockbit persistence ransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��7C 46 E8 FF 8C 52 C4 61 BA 95 B2 85 58 BD BC F1 F8 4F 20 01 C8 BB 6B 43 25 56 87 B2 7E 94 78 3A A0 D1 C2 76 53 2A EC 24 01 89 6B 5C 45 A8 DF 18 26 B9 0C F0 5E EF C2 41 7C 72 42 42 82 33 4D DF C6 AC 2D 02 E8 43 B3 3D 67 79 C4 7D 7D CA 1A 90 D6 4F E2 96 50 D9 7D DE 96 FC 36 36 D8 64 19 57 9C 69 0E 4B A2 4F 1B 3A 52 42 C3 94 1C 42 93 F0 DD 5D 56 2B B5 BE F3 73 A6 FE C3 07 2A 21 87 FF D0 E2 77 A9 99 86 2C 74 54 3A A3 E0 4F 11 78 5C 8A 91 FC B0 48 D6 C7 8B 7C D5 48 E3 F8 1E 2D A4 14 DD 25 6B F3 88 CD 64 4F 6D 97 3D 62 68 2F EA 23 D1 93 C4 26 5A F2 BA A7 F4 8F D2 15 2A 73 F1 B0 84 A3 BC 89 BB 2F 4E E4 2E 70 2E 8E 67 E2 C3 3E 46 5E 71 ED 57 21 F4 15 9B 69 5E 91 39 81 D3 D7 F4 49 ED 81 D4 9D B1 2A CF CA 11 16 68 B3 C2 B3 3D 62 12 6B 65 1A 8F 8C 58 19 E5 E8 E3 F8 A8 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Executes dropped EXE 1 IoCs

pid	Process
3896	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\MountTest.png => C:\Users\Admin\Pictures\MountTest.png.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File renamed	C:\Users\Admin\Pictures\RemoveExport.tif => C:\Users\Admin\Pictures\RemoveExport.tif.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Pictures\StepOpen.tiff	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File renamed	C:\Users\Admin\Pictures\SubmitUnregister.crw => C:\Users\Admin\Pictures\SubmitUnregister.crw.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File renamed	C:\Users\Admin\Pictures\ExportInitialize.png => C:\Users\Admin\Pictures\ExportInitialize.png.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File renamed	C:\Users\Admin\Pictures\ImportTrace.tif => C:\Users\Admin\Pictures\ImportTrace.tif.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File renamed	C:\Users\Admin\Pictures\PushConvertFrom.tif => C:\Users\Admin\Pictures\PushConvertFrom.tif.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File renamed	C:\Users\Admin\Pictures\StepOpen.tiff => C:\Users\Admin\Pictures\StepOpen.tiff.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File renamed	C:\Users\Admin\Pictures\CompressSend.png => C:\Users\Admin\Pictures\CompressSend.png.DOCM	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe"	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Drops desktop.ini file(s) 18 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4020 set thread context of 3896	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe\:Zone.Identifier:$DATA	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2208	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	85
PID 4020 wrote to memory of 2208	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	85
PID 4020 wrote to memory of 2208	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	85
PID 4020 wrote to memory of 2740	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	88
PID 4020 wrote to memory of 2740	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	88
PID 4020 wrote to memory of 2740	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	88
PID 4020 wrote to memory of 3896	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	90
PID 4020 wrote to memory of 3896	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	90
PID 4020 wrote to memory of 3896	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	90
PID 4020 wrote to memory of 3896	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	90
PID 4020 wrote to memory of 3896	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	90
PID 4020 wrote to memory of 3896	4020	067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe	90

C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
"C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:2208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe
  "C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - NTFS ADS
  PID:3896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3.exe

Filesize
267KB

MD5
7d67bbf0d095476eab63758fdc87fc59

SHA1
34adeff5d484e149ba5bcb6e24475c53fa2ae332

SHA256
067c2cfa9e227c4fe191b6dbd936120f8acd48efeb767429d13960137dfb60b3

SHA512
b897fb073d25fd5dd052cf5733c40062d2c39649ce20d800ecbd1005f9d86e296c7e1a3455fc4251d24f2e9f45294b9a082ba28d9fbf410e9614c7bc514c7f84

Download Submit
memory/3896-140-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3896-143-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3896-144-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4020-134-0x00000000056A0000-0x00000000056C2000-memory.dmp

Filesize
136KB

Download
memory/4020-135-0x0000000006990000-0x0000000006F34000-memory.dmp

Filesize
5.6MB

Download
memory/4020-133-0x0000000006210000-0x00000000063D2000-memory.dmp

Filesize
1.8MB

Download
memory/4020-137-0x0000000006120000-0x00000000061B2000-memory.dmp

Filesize
584KB

Download
memory/4020-138-0x00000000015E0000-0x000000000167C000-memory.dmp

Filesize
624KB

Download
memory/4020-130-0x0000000000C40000-0x0000000000C88000-memory.dmp

Filesize
288KB

Download
memory/4020-132-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing