globeimposter | 3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5

General

Target

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
Size

230KB
MD5

9734cd0bc2ffc92b17ffa2dccaaedab1
SHA1

c2c851d95135f86884cc99917503973c17995518
SHA256

3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5
SHA512

38b6391db917c6aa3ad2d834fd366d1b3874ee188fd0c7bb6ef96541d35325fea9e916fd64e822188d3ab4bbce9efaf844633c61a28833ecb7ca5ba211df0ccb

Score

10^/10

globeimposter lockbit persistence ransomware

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��02 84 3E B3 C3 94 74 B6 A1 51 CF 5F C1 D5 65 58 0B 63 7A 9E B5 39 02 0E 46 93 26 3D 85 4F 48 E2 A6 50 A7 6F F0 00 9A 21 70 13 CE F9 27 DB A5 FC E4 99 16 A6 41 54 27 9B D8 73 3D BB 19 5B C5 29 A1 70 FE 28 36 4D 6F EB 72 84 53 85 7F 3C 39 53 5C AE E0 41 55 5E 9B CF 27 FE DB 76 E2 7C AA 5F 71 86 6C C6 53 AA A0 F3 DE CE EF B1 45 11 03 A2 77 62 2D 60 92 57 30 1B 25 6B DF 87 79 5B 30 16 52 86 5D A2 2E B6 54 3E 9C 7F 16 EB BE 3B A9 34 07 BA 93 85 E8 CC 25 74 31 31 B0 83 E2 C5 AA 98 25 02 1A DF D9 16 9F 46 B7 D2 E8 36 95 CF F9 68 36 7A 7C A3 3A 4D 26 DE 64 6A 35 F0 7E F3 60 A6 A5 81 3C 6A 41 4E D1 B5 74 37 0D EF EA 8B A1 4E 64 16 94 FF 01 F0 84 FF 2F 99 AD 60 DC DA CF 3E BB B7 2C F1 DB 04 5D 16 C3 A2 F2 58 D5 B4 CB BB C4 42 B5 03 31 C7 13 D4 D2 02 23 87 4B D5 30 B7 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Executes dropped EXE 2 IoCs

pid	Process
3716	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
1272	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConfirmMerge.tiff	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File renamed	C:\Users\Admin\Pictures\ConfirmMerge.tiff => C:\Users\Admin\Pictures\ConfirmMerge.tiff.DOCM	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Pictures\MoveBackup.tiff	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File renamed	C:\Users\Admin\Pictures\MoveBackup.tiff => C:\Users\Admin\Pictures\MoveBackup.tiff.DOCM	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File renamed	C:\Users\Admin\Pictures\PopAssert.tif => C:\Users\Admin\Pictures\PopAssert.tif.DOCM	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File renamed	C:\Users\Admin\Pictures\SubmitRevoke.crw => C:\Users\Admin\Pictures\SubmitRevoke.crw.DOCM	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Pictures\AssertSet.tiff	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File renamed	C:\Users\Admin\Pictures\AssertSet.tiff => C:\Users\Admin\Pictures\AssertSet.tiff.DOCM	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe"	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3004 set thread context of 1272	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe\:Zone.Identifier:$DATA	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1436	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	88
PID 3004 wrote to memory of 1436	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	88
PID 3004 wrote to memory of 1436	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	88
PID 3004 wrote to memory of 5004	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	91
PID 3004 wrote to memory of 5004	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	91
PID 3004 wrote to memory of 5004	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	91
PID 3004 wrote to memory of 3716	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	93
PID 3004 wrote to memory of 3716	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	93
PID 3004 wrote to memory of 3716	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	93
PID 3004 wrote to memory of 1272	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	94
PID 3004 wrote to memory of 1272	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	94
PID 3004 wrote to memory of 1272	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	94
PID 3004 wrote to memory of 1272	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	94
PID 3004 wrote to memory of 1272	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	94
PID 3004 wrote to memory of 1272	3004	3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe	94

C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
"C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:1436
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe:Zone.Identifier"
  2⤵
  - NTFS ADS
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
  "C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe"
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe
  "C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - NTFS ADS
  PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Filesize
230KB

MD5
9734cd0bc2ffc92b17ffa2dccaaedab1

SHA1
c2c851d95135f86884cc99917503973c17995518

SHA256
3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5

SHA512
38b6391db917c6aa3ad2d834fd366d1b3874ee188fd0c7bb6ef96541d35325fea9e916fd64e822188d3ab4bbce9efaf844633c61a28833ecb7ca5ba211df0ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5.exe

Filesize
230KB

MD5
9734cd0bc2ffc92b17ffa2dccaaedab1

SHA1
c2c851d95135f86884cc99917503973c17995518

SHA256
3d24fdfe25be5439de389d46c00ef6bcdd7bed50a85c573c489b5f12c506b8b5

SHA512
38b6391db917c6aa3ad2d834fd366d1b3874ee188fd0c7bb6ef96541d35325fea9e916fd64e822188d3ab4bbce9efaf844633c61a28833ecb7ca5ba211df0ccb

Download Submit
memory/1272-147-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1272-146-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1272-145-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1272-142-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3004-134-0x0000000005E50000-0x0000000006012000-memory.dmp

Filesize
1.8MB

Download
memory/3004-138-0x0000000006510000-0x00000000065AC000-memory.dmp

Filesize
624KB

Download
memory/3004-137-0x0000000005D80000-0x0000000005E12000-memory.dmp

Filesize
584KB

Download
memory/3004-135-0x00000000065D0000-0x0000000006B74000-memory.dmp

Filesize
5.6MB

Download
memory/3004-130-0x0000000000900000-0x0000000000940000-memory.dmp

Filesize
256KB

Download
memory/3004-132-0x0000000005390000-0x00000000053F6000-memory.dmp

Filesize
408KB

Download
memory/3004-131-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing