globeimposter | 59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

Analysis

max time kernel
146s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
26-06-2022 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

star.exe
Size

360KB
MD5

2f121145ea11b36f9ade0cb8f319e40a
SHA1

d68049989ce98f71f6a562e439f6b6f0a165f003
SHA256

59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
SHA512

9211a74cfa23c70c6ace8bd168ecbe1bb4a06d2e03b5adff5546115137b6ce849d3e41337581123d48e5082319f507d8f2d274621317fada182530e4a0abb6c7

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��02 67 2E 9B C9 FE 3A 87 64 AA 6D 2A 6B 12 6A 5E F3 E5 3C FC E4 BB F4 EE 5A F0 C5 FA F4 D3 54 35 86 73 F0 BD C4 1C 04 E0 6C 7D C3 49 32 D6 2E FE 97 51 EA 89 E5 37 F3 B1 3C 91 E3 A1 12 89 39 F3 8E B7 FF 2D 96 94 36 96 A0 06 7B 65 99 07 A6 18 36 E1 14 CF 99 DD 9D 9D 3C 15 2D A0 39 8E EE E8 C0 E1 2F 25 7E 7E BA 7A E4 FA 06 0B 08 59 8D F0 BA D2 43 BE E2 1C A5 FA 51 53 B6 8F 74 FB 3C B4 E1 CF 0C 6F FC 57 28 A8 00 42 C6 E4 81 52 FA 89 52 30 1D 1E 06 43 E1 C5 77 C6 FE FA D9 70 A6 99 44 05 E6 C0 48 18 BB AD B2 1F B7 8F 43 33 8A 86 7E 30 7D 1C 2A D5 19 BB E9 64 6C EF 9C 21 65 27 AA 12 5E 87 69 63 63 60 6B 35 90 DE 5B 22 21 7B 63 7B B8 38 4F 2B 69 3D 4A 77 DB 5E D9 C1 90 C2 D4 00 00 CD 4D 64 4B 80 AA 86 15 42 EA 9A CC AB 11 CC CD 87 9B 63 66 FE 50 21 A3 CF 9F 71 65 95

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\CompressCheckpoint.tif => C:\Users\Admin\Pictures\CompressCheckpoint.tif.xls	star.exe
File renamed	C:\Users\Admin\Pictures\JoinSet.png => C:\Users\Admin\Pictures\JoinSet.png.xls	star.exe
File renamed	C:\Users\Admin\Pictures\RegisterSend.png => C:\Users\Admin\Pictures\RegisterSend.png.xls	star.exe
File renamed	C:\Users\Admin\Pictures\RequestRead.raw => C:\Users\Admin\Pictures\RequestRead.raw.xls	star.exe
File renamed	C:\Users\Admin\Pictures\RestoreRequest.png => C:\Users\Admin\Pictures\RestoreRequest.png.xls	star.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	star.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe"	star.exe

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Music\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	star.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	star.exe
File opened for modification	C:\Users\Public\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	star.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	star.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	star.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 1720	2024	star.exe	30

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\System.AddIn.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll	star.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryResume.dotx	star.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\VSTAProjectUI.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieLetter.dotx	star.exe
File created	C:\Program Files (x86)\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.ComRPCChannel.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceer35EN.dll	star.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\UserControl.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\FeedSync.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BillingStatement.xltx	star.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip	star.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfo.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\CodeFile.zip	star.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.Tools.Applications.Project.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceqp35.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\ResourceInternal.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.Server.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceoledb35.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ContemporaryPhotoAlbum.potx	star.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VSTAClientPkg.dll	star.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.AddInManager.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\Synchronization.rll	star.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyMergeLetter.dotx	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\VSTAClientPkgUI.dll	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BloodPressureTracker.xltx	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyResume.dotx	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\TextFile.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\SynchronizationEula.rtf	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceme35.dll	star.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\read-me.txt	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip	star.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip	star.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
360	schtasks.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 360	2024	star.exe	28
PID 2024 wrote to memory of 360	2024	star.exe	28
PID 2024 wrote to memory of 360	2024	star.exe	28
PID 2024 wrote to memory of 360	2024	star.exe	28
PID 2024 wrote to memory of 1720	2024	star.exe	30
PID 2024 wrote to memory of 1720	2024	star.exe	30
PID 2024 wrote to memory of 1720	2024	star.exe	30
PID 2024 wrote to memory of 1720	2024	star.exe	30
PID 2024 wrote to memory of 1720	2024	star.exe	30
PID 2024 wrote to memory of 1720	2024	star.exe	30
PID 2024 wrote to memory of 1720	2024	star.exe	30

C:\Users\Admin\AppData\Local\Temp\star.exe
"C:\Users\Admin\AppData\Local\Temp\star.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFC2B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:360
- C:\Users\Admin\AppData\Local\Temp\star.exe
  "{path}"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFC2B.tmp

Filesize
1KB

MD5
bb910ae88dc840ba6e45389ffe6c6196

SHA1
640c0e3a1e918c12255a51f16ab6bb5ece1e85a6

SHA256
68be26cec28d3e64f867678c40994352ad27b2e92c0c7db9fdaf068b290541ee

SHA512
e6b95310c5b3ad7553e9992ade23934e4ed128959702ca39b9c27cf5408517e1b2ca336a2823323aaf841ca04a793030cbd60af6d40ec15f728981c9bf840fb1

Download Submit
C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe

Filesize
360KB

MD5
fa868fc4daf634666da8599c54f99ac4

SHA1
38ea9059537016e72e431e7c70eab4dce2e245e0

SHA256
aa0166ba48688fe1acc9152a42a2fbdf023c15a3485118892ed51dbe9a97cd88

SHA512
fb0d3f8c8cee69801c0f080c1a10f057b6ae7719cad68ee74d9bcd0d4991060d935b858e2b27675906a85df018d73af67a4bfc841e4067233cb3e7daf760a24d

Download Submit
memory/1720-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1720-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1720-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1720-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1720-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2024-58-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/2024-57-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/2024-56-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download
memory/2024-54-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2024-55-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads