globeimposter | 18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a

General

Target

18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
Size

187KB
MD5

8f59ad7e91a0a875e8389931f8086196
SHA1

d644611bf6edec70568993896f6e95c6f1a577dc
SHA256

18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a
SHA512

67e459fcfa72fe71cd0387e7ee6267fbcd736d6f83461b08b6e6f284f8d1fb2cb2926bbb5879a7ff00fb468a3c05aa0fa4f09b64e9aecf1591cdefdcc4bb22ae

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AssertPop.png => C:\Users\Admin\Pictures\AssertPop.png..doc	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File renamed	C:\Users\Admin\Pictures\ConvertToInstall.crw => C:\Users\Admin\Pictures\ConvertToInstall.crw..doc	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File renamed	C:\Users\Admin\Pictures\GroupWatch.crw => C:\Users\Admin\Pictures\GroupWatch.crw..doc	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File renamed	C:\Users\Admin\Pictures\ProtectSet.raw => C:\Users\Admin\Pictures\ProtectSet.raw..doc	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File renamed	C:\Users\Admin\Pictures\ResumeEdit.tif => C:\Users\Admin\Pictures\ResumeEdit.tif..doc	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File renamed	C:\Users\Admin\Pictures\UsePop.crw => C:\Users\Admin\Pictures\UsePop.crw..doc	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Pictures\PublishConvertFrom.tiff	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File renamed	C:\Users\Admin\Pictures\PublishConvertFrom.tiff => C:\Users\Admin\Pictures\PublishConvertFrom.tiff..doc	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File renamed	C:\Users\Admin\Pictures\UsePop.tif => C:\Users\Admin\Pictures\UsePop.tif..doc	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe

Loads dropped DLL 1 IoCs

pid	Process
4040	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe"	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4040 set thread context of 1108	4040	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1108	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
1108	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4040	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 1108	4040	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe	82
PID 4040 wrote to memory of 1108	4040	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe	82
PID 4040 wrote to memory of 1108	4040	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe	82
PID 4040 wrote to memory of 1108	4040	18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe	82

C:\Users\Admin\AppData\Local\Temp\18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
"C:\Users\Admin\AppData\Local\Temp\18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Users\Admin\AppData\Local\Temp\18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe
  "C:\Users\Admin\AppData\Local\Temp\18ef9d0649ea655ab0b8fea5e57ffb8a8493a0ac695863fb0290afe13d3bb01a.exe"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsz561.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/1108-132-0x0000000000400000-0x000000000040E600-memory.dmp

Filesize
57KB

Download

Analysis

Sharing