globeimposter | 59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-06-2022 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

star.exe
Size

360KB
MD5

2f121145ea11b36f9ade0cb8f319e40a
SHA1

d68049989ce98f71f6a562e439f6b6f0a165f003
SHA256

59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
SHA512

9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��65 1A C3 B3 1E D3 06 8D FE 58 C0 1C 62 13 D8 04 45 9F 70 B5 99 40 8A A0 0A 30 2D 1A A8 2D 8F A3 64 D1 34 79 09 19 54 76 AE 76 93 23 80 55 60 76 51 3C 25 EB 38 BE C2 F7 3C 38 0B 29 3F 21 BE B3 5F D6 DD B4 C6 E1 8C 11 D9 3D C0 E6 1A F6 32 4E 71 FC 19 EF 81 C3 27 BF DD 64 BF E0 E8 36 50 2A C5 DC C8 C4 76 8B 08 31 00 8E 39 8D 36 4C A3 32 FD 6C 2B 3E 5C 26 D8 11 34 0B 07 C5 92 00 4D FE E8 CE 1D C1 A4 F5 69 A2 26 41 9B FC 4A FD DB AA BE FC 9E 14 68 BE 2C D7 E8 0C 95 51 C3 D1 BC D6 9F F8 F7 C5 DE 6A A0 94 BD D6 17 E4 5D FD F2 64 0F 92 36 C9 1C E5 53 A3 12 4C BA 85 B3 06 93 02 06 8D 93 EC E4 BD 00 C5 FB E4 2A 10 A5 34 B3 66 F1 04 81 8B C4 84 AD 2F F5 02 3B B4 E5 58 11 5C EA ED 84 07 EB 4D 63 0D 36 35 AB 10 96 22 C7 55 6F CF 39 B8 52 63 AC 12 50 C3 54 80 14 E7 AD A1

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AddPush.tif => C:\Users\Admin\Pictures\AddPush.tif.xls	star.exe
File renamed	C:\Users\Admin\Pictures\CompressInstall.tif => C:\Users\Admin\Pictures\CompressInstall.tif.xls	star.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToRequest.tiff	star.exe
File renamed	C:\Users\Admin\Pictures\ConvertToRequest.tiff => C:\Users\Admin\Pictures\ConvertToRequest.tiff.xls	star.exe
File renamed	C:\Users\Admin\Pictures\InvokeExport.raw => C:\Users\Admin\Pictures\InvokeExport.raw.xls	star.exe
File renamed	C:\Users\Admin\Pictures\ReceiveInvoke.raw => C:\Users\Admin\Pictures\ReceiveInvoke.raw.xls	star.exe
File renamed	C:\Users\Admin\Pictures\RemoveConfirm.tif => C:\Users\Admin\Pictures\RemoveConfirm.tif.xls	star.exe
File renamed	C:\Users\Admin\Pictures\UnblockUninstall.png => C:\Users\Admin\Pictures\UnblockUninstall.png.xls	star.exe
File renamed	C:\Users\Admin\Pictures\UnlockLock.raw => C:\Users\Admin\Pictures\UnlockLock.raw.xls	star.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	star.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe"	star.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	star.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	star.exe
File opened for modification	C:\Users\Public\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	star.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	star.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 1280	1696	star.exe	30

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEAWSDC.DLL	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98SP.POC	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid.gif	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Code_Signing_2001-4_CA.cer	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime.css	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.DPV	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML	star.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_COL.HXC	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_OFF.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN092.XML	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Major Indicies.iqy	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_COL.HXC	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.DPV	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR26F.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Users.accdt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\LASER.WAV	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CLVWINTL.DLL	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLISTI.DLL	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.DPV	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL001.XML	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEMS.ICO	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURL.ICO	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Newsprint.dotx	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_TexturedBlue.gif	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EntityDataHandler.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL078.XML	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTINTERNET.NET.XML	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR20F.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBHD.XML	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL077.XML	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.TW.XML	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\SignedComponents.cer	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLIST.CHM	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Formal.dotx	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow.css	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOMS.ICO	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV.HXS	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OMSINTL.DLL	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\msproof7.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.DLL	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTLVBA.DLL	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.REST.IDX_DLL	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanMergeLetter.Dotx	star.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSSMS.CFG	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ORG97.SAM	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tabs.accdt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	star.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1420	schtasks.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1420	1696	star.exe	28
PID 1696 wrote to memory of 1420	1696	star.exe	28
PID 1696 wrote to memory of 1420	1696	star.exe	28
PID 1696 wrote to memory of 1420	1696	star.exe	28
PID 1696 wrote to memory of 1280	1696	star.exe	30
PID 1696 wrote to memory of 1280	1696	star.exe	30
PID 1696 wrote to memory of 1280	1696	star.exe	30
PID 1696 wrote to memory of 1280	1696	star.exe	30
PID 1696 wrote to memory of 1280	1696	star.exe	30
PID 1696 wrote to memory of 1280	1696	star.exe	30
PID 1696 wrote to memory of 1280	1696	star.exe	30

C:\Users\Admin\AppData\Local\Temp\star.exe
"C:\Users\Admin\AppData\Local\Temp\star.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F76.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\star.exe
  "{path}"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6F76.tmp

Filesize
1KB

MD5
27cb4ca940005c867da111b7fc422907

SHA1
bee062cdbafd01a56586c42da8b8974ef05077b0

SHA256
ef8edea78648042891efe5100ec476a326efe4202bcd6d8e0c2c20cac7ac7b47

SHA512
b20a747da044d45129c177d4d6b46560e11395d7d265de7674c31e100df9009db659a64b689000270cfc734c499ac3b4fc2d2ae07c72682f10742e735abf1c5e

Download Submit
C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe

Filesize
360KB

MD5
a58056b89124ec6ce5edfcb433954e02

SHA1
371c8ba3919cf416eeeb72c564b7673f41a5b52b

SHA256
66f45bb9ddabf7184f08e741504688016d3c0ee9fae850ab9eb119f9dab4c39e

SHA512
a414f260a99f806538d25602bca0410840f42fe2534fd5f1ac7569369f8e319c454f7be71000fdecdf7b6d57750c2203b1ed4042c9608d91c2b5dbdb510d0e62

Download Submit
memory/1280-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1280-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1280-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1280-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1280-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1696-57-0x0000000004DB0000-0x0000000004E16000-memory.dmp

Filesize
408KB

Download
memory/1696-58-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/1696-56-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/1696-54-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1696-55-0x0000000075371000-0x0000000075373000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads