globeimposter | 59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

General

Target

star.exe
Size

360KB
MD5

2f121145ea11b36f9ade0cb8f319e40a
SHA1

d68049989ce98f71f6a562e439f6b6f0a165f003
SHA256

59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
SHA512

9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score

10^/10

globeimposter persistence ransomware

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��33 9A B5 50 35 F2 5D C4 8C 9E 10 A9 C9 EE B8 9D 36 3B A7 55 72 3E 79 6C 5C DB 3A A5 BA A1 52 DC 09 2C 52 15 98 80 3C 99 87 46 78 D8 2B FB B9 45 EC BA E1 4D F0 DE 52 89 14 59 75 25 8F 2A A6 9D C2 7D E2 34 D4 93 90 93 AC B4 5B 4B CB 58 AA 55 82 7C F7 66 11 1C 2A 8C A0 84 31 9F AB C2 BB F5 D7 07 FF 01 47 0B ED B1 A4 3E 53 FD F2 B1 1B 28 81 C3 FA D1 9F 23 D5 04 1B 53 EC 70 1B 8C 7F C9 9E C9 3B FA 1F 9C 94 A0 C7 07 97 5A EA 14 C0 62 10 E9 0F 53 C8 AE D8 50 6D 39 A5 56 F5 CC 94 51 B3 30 04 0C 60 99 8E C8 BB D5 50 F1 F3 8A 74 55 C9 A2 5A 6D 30 40 F0 25 DC 84 24 F5 AA B6 DF 80 92 D0 FA E7 65 96 05 47 87 7E 3B 19 E3 A9 08 62 DA A9 8A 8F C5 87 5A 42 4B FB FE 95 B0 E7 8C 37 65 0F 46 AA D8 7F 32 E6 D5 9C CD DE 50 DA 3A 18 C1 D7 66 7F 19 10 6D E2 1E D5 06 91 FA E1 9B FA

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

star.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ClearConvert.tif => C:\Users\Admin\Pictures\ClearConvert.tif.xls	star.exe
File renamed	C:\Users\Admin\Pictures\CompareBackup.raw => C:\Users\Admin\Pictures\CompareBackup.raw.xls	star.exe
File renamed	C:\Users\Admin\Pictures\ConfirmCompress.png => C:\Users\Admin\Pictures\ConfirmCompress.png.xls	star.exe
File renamed	C:\Users\Admin\Pictures\AssertSave.crw => C:\Users\Admin\Pictures\AssertSave.crw.xls	star.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

star.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	star.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

star.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	star.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe"	star.exe

Drops desktop.ini file(s) 21 IoCs

Processes:

star.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Searches\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	star.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	star.exe
File opened for modification	C:\Users\Public\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	star.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

star.exe

description	pid	Process	procid_target
PID 4748 set thread context of 4108	4748	star.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
1572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

star.exe

pid	Process
4748	star.exe
4748	star.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

star.exe

description	pid	Process
Token: SeDebugPrivilege	4748	star.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

star.exe

description	pid	Process	procid_target
PID 4748 wrote to memory of 1572	4748	star.exe	82
PID 4748 wrote to memory of 1572	4748	star.exe	82
PID 4748 wrote to memory of 1572	4748	star.exe	82
PID 4748 wrote to memory of 4800	4748	star.exe	84
PID 4748 wrote to memory of 4800	4748	star.exe	84
PID 4748 wrote to memory of 4800	4748	star.exe	84
PID 4748 wrote to memory of 4108	4748	star.exe	85
PID 4748 wrote to memory of 4108	4748	star.exe	85
PID 4748 wrote to memory of 4108	4748	star.exe	85
PID 4748 wrote to memory of 4108	4748	star.exe	85
PID 4748 wrote to memory of 4108	4748	star.exe	85
PID 4748 wrote to memory of 4108	4748	star.exe	85

C:\Users\Admin\AppData\Local\Temp\star.exe
"C:\Users\Admin\AppData\Local\Temp\star.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1572
- C:\Users\Admin\AppData\Local\Temp\star.exe
  "{path}"
  2⤵
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\star.exe
  "{path}"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  PID:4108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCB.tmp

Filesize
1KB

MD5
4fc8eef9be6e571df6803b42f3f3f21d

SHA1
20011bfa76c71a014cb48c1bc886d704d146ed5d

SHA256
dd2db6e98213001cef2e75787ef0650cf43a3fee98c530353b4adb0bc410c02b

SHA512
8fd630c9ff98f1ac0b7a01ea70fbd5dc8f470adab385cbfc4b5bfbede62904f6f685ce2d00eebd055ab14e8fe431bf96287940562a70638a17d4431474398dba

Download Submit
memory/1572-136-0x0000000000000000-mapping.dmp

Download
memory/4108-139-0x0000000000000000-mapping.dmp

Download
memory/4108-140-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4108-142-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4108-143-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4108-144-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4748-133-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/4748-134-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/4748-135-0x00000000052A0000-0x00000000052F6000-memory.dmp

Filesize
344KB

Download
memory/4748-132-0x0000000005750000-0x0000000005CF4000-memory.dmp

Filesize
5.6MB

Download
memory/4748-131-0x0000000005100000-0x000000000519C000-memory.dmp

Filesize
624KB

Download
memory/4748-130-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4800-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads