globeimposter | 5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2

General

Target

5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
Size

528KB
MD5

22dce5b7daed8cfb14aa9e8e7eed1d2f
SHA1

ad04ba678cdc09526804c6f2a6341b221c9ac73f
SHA256

5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2
SHA512

64cd8f6c65f31e8a6e7db7a9dbb892f36b553ccdf7f4327f06148fd93fc2e50228351b99318daf2512aa00d901791d1b3c997d291a17ade5eb2ffaf224069f09

Score

10^/10

globeimposter lockbit persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Restore-My-Files.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/ | 3. Follow the instructions on this page ---------------------------------------------------------------------------------------- Note! This link is available via "Tor Browser" only. ------------------------------------------------------------ Free decryption as guarantee. Before paying you can send us 1 file for free decryption. ------------------------------------------------------------ alternate address - http://helpinfh6vj47ift.onion/ DO NOT CHANGE DATA BELOW ###s6dlsnhtjwbhr###��83 C8 FD 37 E0 37 F5 96 AD E8 24 20 1F 8D C4 DE 9A 4A FA 95 02 D1 57 1F 66 90 FD 33 72 95 1B DD 7D 0E C7 D0 BE 74 1B C8 0A 15 88 4E 8D 3D 48 48 9C 08 1C 1A 67 F8 AB 64 A2 9B C7 A8 71 88 7B 33 0B 70 FB 6F F7 73 98 30 59 B9 92 EC 8C C5 B9 7D 7E 2A 7E 7E F4 E0 AB E0 B0 CC 98 50 14 D9 B0 B4 CB 3E 7D CA 18 55 3B F8 8E 40 20 E5 56 90 2D 89 05 DB A5 6A F2 8B 56 1B 9A 82 82 1E 30 84 5F 25 AA 2C EF 76 38 8C 98 42 96 2C 74 DA B7 F5 9B 58 7C 09 47 47 40 B2 C8 2A 20 52 EC 0A 83 31 25 5C E1 89 6C 87 38 A7 46 55 14 8A 35 90 A6 6D 43 B6 EC 90 F8 2B 8E 8B 5F 90 42 61 9B 6F 73 CC F9 EB D9 5A EE 45 65 24 3F A2 81 EF 14 96 6D BE D7 04 F3 8D 39 94 24 E3 12 2B 52 54 C6 F5 3B 7F D6 57 94 8E C9 3B 22 A4 55 D7 FE 82 4D AB 39 00 07 D6 08 DD 66 29 12 EB 54 26 0A 21 09 EB 71 95 E8 F0 ###��

URLs

http://decrmbgpvh6kvmti.onion/

http://helpinfh6vj47ift.onion/

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\PushClose.raw => C:\Users\Admin\Pictures\PushClose.raw.DOCM	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File renamed	C:\Users\Admin\Pictures\WaitOpen.png => C:\Users\Admin\Pictures\WaitOpen.png.DOCM	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe"	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Public\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2312 set thread context of 3412	2312	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe	80

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2312	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3412	2312	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe	80
PID 2312 wrote to memory of 3412	2312	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe	80
PID 2312 wrote to memory of 3412	2312	5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe	80

C:\Users\Admin\AppData\Local\Temp\5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
"C:\Users\Admin\AppData\Local\Temp\5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe
  C:\Users\Admin\AppData\Local\Temp\5cd02ef954d51126f01144c77a353c9362accc62c56a0292e5bb29e0a58901b2.exe"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  PID:3412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2312-136-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download
memory/2312-132-0x0000000002250000-0x0000000002257000-memory.dmp

Filesize
28KB

Download
memory/2312-134-0x0000000002250000-0x0000000002257000-memory.dmp

Filesize
28KB

Download
memory/2312-135-0x00007FF9E0D30000-0x00007FF9E0F25000-memory.dmp

Filesize
2.0MB

Download
memory/3412-138-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3412-137-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3412-139-0x00007FF9E0D30000-0x00007FF9E0F25000-memory.dmp

Filesize
2.0MB

Download
memory/3412-140-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download
memory/3412-141-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3412-142-0x0000000002090000-0x0000000002097000-memory.dmp

Filesize
28KB

Download
memory/3412-143-0x00007FF9E0D30000-0x00007FF9E0F25000-memory.dmp

Filesize
2.0MB

Download
memory/3412-144-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download
memory/3412-145-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing