Overview

overview

10

Static

static

35fc2092e4...ef.exe

windows7-x64

10

35fc2092e4...ef.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef

  • Size

    170KB

  • Sample

    220825-ld3xjsbgf4

  • MD5

    c6b7bfd71bd9266d2f6a7765d792e8f5

  • SHA1

    cfecd233b084e49d66ac63943e7370bdcb3afdef

  • SHA256

    35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef

  • SHA512

    0b0bba5bb84de2be5f983438ff05fdef4d66aff7302045858254a50b8e75fdd1329a9edd90ad463b0a94087c84f7fd93ac96bb8a688b6f159d5c2e5e845298a0

  • SSDEEP

    1536:J7kSVXrB7T0hoAOwC6NXFZcRGOgaRFOvA+v/T3YpKuz:9z1/0POX6NvPaRFOlv/k

Score
10/10
globeimposterpersistenceransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ���������0D 9A 32 19 EF 2F 76 9E 67 E1 CC A9 70 06 A8 D4 29 9D 98 43 19 38 40 46 72 0A 93 02 63 D8 82 DA 8F 89 23 79 29 06 83 51 EF 4D DA E1 73 80 78 3C C5 D2 28 C7 FC 4C B1 5B 1E 5A F8 B6 1C 69 D6 44 FA 6C FB 43 17 53 D7 88 BB 65 5E D7 8F BF 53 9A 58 D0 DA 6E 51 B5 A6 19 0E BF F6 D4 23 6E 60 5D 18 DB 8D 17 E9 EB D0 3F CE 9D 81 43 56 39 8D 94 7A B2 E1 DA 1F 82 98 CA B1 26 B7 7A FB 8D 4F 7B 1C FF 40 96 30 DE 63 41 8D D2 B0 83 82 12 DF 5B EF 9A 89 1F 7C 40 96 7B EF 93 13 65 D7 43 D6 96 5F 12 4F C0 09 8F CB 53 45 C7 06 CC AA AE D9 46 9A B0 42 BD C1 CD F0 74 B5 44 55 DA 73 A6 59 60 EB F5 FC B5 7E 71 74 73 6C 0A 32 D9 4A 1F 5A E9 F8 A8 69 03 11 F4 CB 25 2D 7B A8 52 7C 3B 93 67 66 47 DB 2A 3E CF 05 7A 21 6C E0 72 1E C5 29 03 A4 E3 3D 8A A7 5D 4E 4D CD 05 02 22 3B 5D F0 51
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ���������71 DA F2 65 19 8C 82 DC BD F0 53 B2 E1 A0 82 E3 EE 01 F9 2E D0 99 ED 73 DD D4 D8 00 D6 CE DA 18 39 CC AA 60 2B AB E2 30 B1 CF 29 52 82 EC 55 65 EC BE 7F 46 11 8F D1 C0 2A BF 6A EB 52 6D 31 F2 25 7F 3B 6E 4F 8E C6 9A 49 1A DE 54 9D 7B 68 CA 36 3F CE DF B8 B6 9F 1D B7 3A 40 05 1A A3 AB DF E0 71 FA 0E 91 E2 26 B4 FB 40 DA D8 88 2B 1D 01 01 6F 29 B4 D6 5C 44 DE 55 39 D6 10 A8 6D 39 62 F3 66 B5 58 E2 B0 5F 20 1E 30 87 AC 87 21 90 15 D4 BD 7C 2B 6E B4 29 7C C7 4F 44 81 8F A6 4C DD 18 BB DD 52 0B BC E9 4E 76 2B 91 2D CA E8 E7 01 0E A3 03 8B BA ED 36 30 EF 0F 80 DC 66 17 D6 18 19 56 8E 6F 33 9F D7 88 4F 9B 78 AF 0F 5E 67 7F E0 82 14 62 EB 5E 57 35 FA 19 22 A8 81 DD E1 97 2D E3 62 F4 56 84 DB 5C 9D C8 A5 69 F3 91 0C 22 43 34 04 AC 53 A8 3B 75 25 D6 73 13 17 2B 00 AD
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Targets

    • Target

      35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef

    • Size

      170KB

    • MD5

      c6b7bfd71bd9266d2f6a7765d792e8f5

    • SHA1

      cfecd233b084e49d66ac63943e7370bdcb3afdef

    • SHA256

      35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef

    • SHA512

      0b0bba5bb84de2be5f983438ff05fdef4d66aff7302045858254a50b8e75fdd1329a9edd90ad463b0a94087c84f7fd93ac96bb8a688b6f159d5c2e5e845298a0

    • SSDEEP

      1536:J7kSVXrB7T0hoAOwC6NXFZcRGOgaRFOvA+v/T3YpKuz:9z1/0POX6NvPaRFOlv/k

    Score
    10/10
    globeimposterpersistenceransomware

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks