globeimposter | 5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656

General

Target

5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
Size

182KB
MD5

24d15acb44fbd11df27da3d21facddbf
SHA1

4b44fa8494ae5d364f65bad738d24086ec0fc9df
SHA256

5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656
SHA512

59b931faca67e3d1ecc6366ca0636bcd9988d7d09b731a58dacb683b0e96e62d665770e01ccabbb33bad5907517090a6e4aa6d583892f8378164e182589e20b9

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\JoinPush.raw => C:\Users\Admin\Pictures\JoinPush.raw..doc	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Pictures\MovePing.tiff	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File renamed	C:\Users\Admin\Pictures\MovePing.tiff => C:\Users\Admin\Pictures\MovePing.tiff..doc	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File renamed	C:\Users\Admin\Pictures\SetConvertTo.raw => C:\Users\Admin\Pictures\SetConvertTo.raw..doc	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe"	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Public\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
224	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
224	5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe

C:\Users\Admin\AppData\Local\Temp\5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe
"C:\Users\Admin\AppData\Local\Temp\5ce524f15b8af68710ce37d50369cd98f02af2a9686d8c8354ae8bcd012ac656.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
PID:224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/224-130-0x000000000077E000-0x0000000000787000-memory.dmp

Filesize
36KB

Download
memory/224-131-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/224-132-0x000000000077E000-0x0000000000787000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing