globeimposter | 13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920

General

Target

13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
Size

167KB
MD5

612974dcb49adef982d9ad8d9cbdde36
SHA1

b817e361bd0cc1819d7f6a1189f0f5d56ed48721
SHA256

13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920
SHA512

84d5acbb8f258683bb6735539e368c2823218d2a6cf07222a50e1e026e3a0aca092941110e87b1d38a601c6a1e3d54604c2f4241c3ec265ed0bf25140a14c2fc

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnprotectConvertFrom.tiff => C:\Users\Admin\Pictures\UnprotectConvertFrom.tiff..doc	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File renamed	C:\Users\Admin\Pictures\FindAdd.raw => C:\Users\Admin\Pictures\FindAdd.raw..doc	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File renamed	C:\Users\Admin\Pictures\FormatCompare.tif => C:\Users\Admin\Pictures\FormatCompare.tif..doc	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectConvertFrom.tiff	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe"	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe

Drops desktop.ini file(s) 24 IoCs

Processes:

13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Public\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe

pid	process
3280	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
3280	13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe

C:\Users\Admin\AppData\Local\Temp\13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe
"C:\Users\Admin\AppData\Local\Temp\13e164380585fe44ac56ed10bd1ed5e42873a85040aee8c40d7596fc05f28920.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
PID:3280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3280-130-0x00000000007FE000-0x0000000000808000-memory.dmp

Filesize
40KB

Download
memory/3280-131-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/3280-132-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads