globeimposter | 3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5

General

Target

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
Size

230KB
MD5

9734cd0bc2ffc92b17ffa2dccaaedab1
SHA1

c2c851d95135f86884cc99917503973c17995518
SHA256

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5
SHA512

38b6391db917c6aa3ad2d834fd366d1b3874ee188fd0c7bb6ef96541d35325fea9e916fd64e822188d3ab4bbce9efaf844633c61a28833ecb7ca5ba211df0ccb

Score

10^/10

globeimposter lockbit persistence ransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��90 1E 31 EE FE F4 9C 9D 37 E8 7E DA 09 5F D2 68 BB 75 38 BC E9 96 BD E4 A7 B3 70 5F F0 0E 2C 3F 79 8F 7F 0E F8 DB 2A 4B 18 65 C4 64 D9 80 F1 13 69 66 51 6B 1C 5C A8 52 BD DB 47 99 7C 6E B1 5B 81 49 85 13 D9 30 E6 EC 0E F1 E7 DB 20 2D 30 60 5D 41 66 88 3C F6 EB 6D FE FF B8 42 49 ED 63 A0 4E A3 3C 22 BC BF 07 12 C7 2E 8D C9 A8 FA 36 A9 27 AE E0 8B 00 81 49 75 C6 F5 AF 78 DE 23 36 5E 4E 62 DF FD ED E3 F5 01 D0 41 27 C9 38 64 E2 80 B3 D2 A7 A7 FE 9A A6 22 7D 66 39 69 AC CF B7 FC 4E CD 14 FA 80 63 19 F5 2D FE 8E CA 7B 3B 02 B1 BD 96 24 21 AC 25 0A 86 B5 A6 56 1F E9 C9 35 E1 FF EF D8 8D 4A D7 07 9A BF 56 12 99 01 AE F7 A3 EB A5 BD 0A 7D 83 2E 27 6B 83 4F 87 A0 1F 16 5C AC 99 70 39 54 FE AA B7 28 D6 E6 74 17 C8 37 7C 7A 0B B6 28 92 59 27 79 5B 48 DA FE DA 7D 07 22 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Executes dropped EXE 1 IoCs

Processes:

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

pid	Process
1464	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\InstallSend.png => C:\Users\Admin\Pictures\InstallSend.png.DOCM	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Pictures\MergeOut.tiff	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File renamed	C:\Users\Admin\Pictures\MergeOut.tiff => C:\Users\Admin\Pictures\MergeOut.tiff.DOCM	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File renamed	C:\Users\Admin\Pictures\ProtectLock.tif => C:\Users\Admin\Pictures\ProtectLock.tif.DOCM	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File renamed	C:\Users\Admin\Pictures\ReceiveGroup.raw => C:\Users\Admin\Pictures\ReceiveGroup.raw.DOCM	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File renamed	C:\Users\Admin\Pictures\RedoRepair.tif => C:\Users\Admin\Pictures\RedoRepair.tif.DOCM	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File renamed	C:\Users\Admin\Pictures\StartReset.tif => C:\Users\Admin\Pictures\StartReset.tif.DOCM	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Loads dropped DLL 1 IoCs

Processes:

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

pid	Process
972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe"	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Drops desktop.ini file(s) 22 IoCs

Processes:

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

description	pid	Process	procid_target
PID 972 set thread context of 1464	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

Processes:

cmd.execmd.exe3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe\:Zone.Identifier:$DATA	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

description	pid	Process
Token: SeDebugPrivilege	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

description	pid	Process	procid_target
PID 972 wrote to memory of 1752	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	27
PID 972 wrote to memory of 1752	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	27
PID 972 wrote to memory of 1752	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	27
PID 972 wrote to memory of 1752	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	27
PID 972 wrote to memory of 1756	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	29
PID 972 wrote to memory of 1756	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	29
PID 972 wrote to memory of 1756	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	29
PID 972 wrote to memory of 1756	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	29
PID 972 wrote to memory of 1464	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	31
PID 972 wrote to memory of 1464	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	31
PID 972 wrote to memory of 1464	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	31
PID 972 wrote to memory of 1464	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	31
PID 972 wrote to memory of 1464	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	31
PID 972 wrote to memory of 1464	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	31
PID 972 wrote to memory of 1464	972	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	31

C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
"C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:1752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
  "C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - NTFS ADS
  PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Filesize
230KB

MD5
9734cd0bc2ffc92b17ffa2dccaaedab1

SHA1
c2c851d95135f86884cc99917503973c17995518

SHA256
3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5

SHA512
38b6391db917c6aa3ad2d834fd366d1b3874ee188fd0c7bb6ef96541d35325fea9e916fd64e822188d3ab4bbce9efaf844633c61a28833ecb7ca5ba211df0ccb

Download Submit
\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Filesize
230KB

MD5
9734cd0bc2ffc92b17ffa2dccaaedab1

SHA1
c2c851d95135f86884cc99917503973c17995518

SHA256
3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5

SHA512
38b6391db917c6aa3ad2d834fd366d1b3874ee188fd0c7bb6ef96541d35325fea9e916fd64e822188d3ab4bbce9efaf844633c61a28833ecb7ca5ba211df0ccb

Download Submit
memory/972-58-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/972-56-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/972-54-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/972-55-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/972-60-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/972-61-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/1464-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1464-64-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1464-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1464-67-0x0000000000409F20-mapping.dmp

Download
memory/1464-71-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1464-72-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1752-57-0x0000000000000000-mapping.dmp

Download
memory/1756-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads