globeimposter | 2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88

Analysis

max time kernel
149s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
15-06-2022 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe
Size

261KB
MD5

860b89a4138f744adbe41cee1de0848f
SHA1

6367510a18f07252168ebdd7029f0e6cde919b8c
SHA256

2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88
SHA512

ed651840d87f8f5a79e2c9b57ae20f8d9e76dc14479cbbebd6f51b3f1ee95ecce70f791172f89c1d606a483c1f26bb247ade535d33e92211094931c80292ee2d

Score

10^/10

globeimposter lockbit evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://alcx6zctcmhmn3kx.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELO ###s6dlsnhtjwbhr###ED56F6A208E3EB2###

URLs

http://alcx6zctcmhmn3kx.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2636	bcdedit.exe
4892	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4520	wbadmin.exe

Executes dropped EXE 1 IoCs

pid	Process
4728	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\""	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4472 set thread context of 4728	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4856	vssadmin.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1932	taskkill.exe
924	taskkill.exe
260	taskkill.exe
1824	taskkill.exe
1952	taskkill.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe
Token: SeDebugPrivilege	260	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeBackupPrivilege	2020	vssvc.exe
Token: SeRestorePrivilege	2020	vssvc.exe
Token: SeAuditPrivilege	2020	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2696	WMIC.exe
Token: SeSecurityPrivilege	2696	WMIC.exe
Token: SeTakeOwnershipPrivilege	2696	WMIC.exe
Token: SeLoadDriverPrivilege	2696	WMIC.exe
Token: SeSystemProfilePrivilege	2696	WMIC.exe
Token: SeSystemtimePrivilege	2696	WMIC.exe
Token: SeProfSingleProcessPrivilege	2696	WMIC.exe
Token: SeIncBasePriorityPrivilege	2696	WMIC.exe
Token: SeCreatePagefilePrivilege	2696	WMIC.exe
Token: SeBackupPrivilege	2696	WMIC.exe
Token: SeRestorePrivilege	2696	WMIC.exe
Token: SeShutdownPrivilege	2696	WMIC.exe
Token: SeDebugPrivilege	2696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2696	WMIC.exe
Token: SeRemoteShutdownPrivilege	2696	WMIC.exe
Token: SeUndockPrivilege	2696	WMIC.exe
Token: SeManageVolumePrivilege	2696	WMIC.exe
Token: 33	2696	WMIC.exe
Token: 34	2696	WMIC.exe
Token: 35	2696	WMIC.exe
Token: 36	2696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2696	WMIC.exe
Token: SeSecurityPrivilege	2696	WMIC.exe
Token: SeTakeOwnershipPrivilege	2696	WMIC.exe
Token: SeLoadDriverPrivilege	2696	WMIC.exe
Token: SeSystemProfilePrivilege	2696	WMIC.exe
Token: SeSystemtimePrivilege	2696	WMIC.exe
Token: SeProfSingleProcessPrivilege	2696	WMIC.exe
Token: SeIncBasePriorityPrivilege	2696	WMIC.exe
Token: SeCreatePagefilePrivilege	2696	WMIC.exe
Token: SeBackupPrivilege	2696	WMIC.exe
Token: SeRestorePrivilege	2696	WMIC.exe
Token: SeShutdownPrivilege	2696	WMIC.exe
Token: SeDebugPrivilege	2696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2696	WMIC.exe
Token: SeRemoteShutdownPrivilege	2696	WMIC.exe
Token: SeUndockPrivilege	2696	WMIC.exe
Token: SeManageVolumePrivilege	2696	WMIC.exe
Token: 33	2696	WMIC.exe
Token: 34	2696	WMIC.exe
Token: 35	2696	WMIC.exe
Token: 36	2696	WMIC.exe
Token: SeBackupPrivilege	3568	wbengine.exe
Token: SeRestorePrivilege	3568	wbengine.exe
Token: SeSecurityPrivilege	3568	wbengine.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 2936	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	85
PID 4472 wrote to memory of 2936	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	85
PID 4472 wrote to memory of 2936	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	85
PID 4472 wrote to memory of 1912	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	90
PID 4472 wrote to memory of 1912	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	90
PID 4472 wrote to memory of 1912	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	90
PID 4472 wrote to memory of 4728	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	95
PID 4472 wrote to memory of 4728	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	95
PID 4472 wrote to memory of 4728	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	95
PID 4472 wrote to memory of 4728	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	95
PID 4472 wrote to memory of 4728	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	95
PID 4472 wrote to memory of 4728	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	95
PID 4472 wrote to memory of 4728	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	95
PID 4472 wrote to memory of 4728	4472	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	95
PID 4728 wrote to memory of 4952	4728	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	96
PID 4728 wrote to memory of 4952	4728	2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe	96
PID 4952 wrote to memory of 260	4952	cmd.exe	98
PID 4952 wrote to memory of 260	4952	cmd.exe	98
PID 4952 wrote to memory of 1824	4952	cmd.exe	99
PID 4952 wrote to memory of 1824	4952	cmd.exe	99
PID 4952 wrote to memory of 1952	4952	cmd.exe	100
PID 4952 wrote to memory of 1952	4952	cmd.exe	100
PID 4952 wrote to memory of 1932	4952	cmd.exe	101
PID 4952 wrote to memory of 1932	4952	cmd.exe	101
PID 4952 wrote to memory of 924	4952	cmd.exe	102
PID 4952 wrote to memory of 924	4952	cmd.exe	102
PID 4952 wrote to memory of 4856	4952	cmd.exe	103
PID 4952 wrote to memory of 4856	4952	cmd.exe	103
PID 4952 wrote to memory of 2696	4952	cmd.exe	106
PID 4952 wrote to memory of 2696	4952	cmd.exe	106
PID 4952 wrote to memory of 2636	4952	cmd.exe	107
PID 4952 wrote to memory of 2636	4952	cmd.exe	107
PID 4952 wrote to memory of 4892	4952	cmd.exe	108
PID 4952 wrote to memory of 4892	4952	cmd.exe	108
PID 4952 wrote to memory of 4520	4952	cmd.exe	109
PID 4952 wrote to memory of 4520	4952	cmd.exe	109

C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe
"C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe
  "C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /f /im sql* & taskkill /f /im backup* & taskkill /f /im MSExchange* & taskkill /f /im Microsoft.Exchange.* & taskkill /f /im mysql* & vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im sql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:260
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im backup*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1824
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MSExchange*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1952
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Microsoft.Exchange.*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1932
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im mysql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:924
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4856
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2696
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2636
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4892
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1360

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe.log

Filesize
1008B

MD5
48497b2121b393b389626441c9c8a2dc

SHA1
ee56247723ae1d5393ba5de0774ba9215ca80f96

SHA256
570f18ef08f5ae4a5c160809f3de9835a9a417ba5fd337fefc7773a48d39911d

SHA512
e95066be559113e958cc5b11432791fee180d620acd32afbf3578dfeb1071f483f6b2c58df9df052f756e511bd8e459f199ec68f481275bf7fe2df86778f6821

Download Submit
C:\Users\Admin\AppData\Local\Temp\2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88.exe

Filesize
261KB

MD5
860b89a4138f744adbe41cee1de0848f

SHA1
6367510a18f07252168ebdd7029f0e6cde919b8c

SHA256
2aee7ed6cc10cf7e0c86c166586c400c8dab691924d3ef69b1c612ef570bcb88

SHA512
ed651840d87f8f5a79e2c9b57ae20f8d9e76dc14479cbbebd6f51b3f1ee95ecce70f791172f89c1d606a483c1f26bb247ade535d33e92211094931c80292ee2d

Download Submit
memory/4472-135-0x00000000063D0000-0x0000000006592000-memory.dmp

Filesize
1.8MB

Download
memory/4472-130-0x0000000000DF0000-0x0000000000E34000-memory.dmp

Filesize
272KB

Download
memory/4472-131-0x0000000005750000-0x0000000005772000-memory.dmp

Filesize
136KB

Download
memory/4472-138-0x0000000001530000-0x00000000015CC000-memory.dmp

Filesize
624KB

Download
memory/4472-134-0x0000000006780000-0x0000000006D24000-memory.dmp

Filesize
5.6MB

Download
memory/4472-133-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/4472-137-0x00000000062B0000-0x0000000006342000-memory.dmp

Filesize
584KB

Download
memory/4728-143-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4728-140-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4728-144-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads