globeimposter | 35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef

Analysis

max time kernel
150s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-08-2022 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe
Size

170KB
MD5

c6b7bfd71bd9266d2f6a7765d792e8f5
SHA1

cfecd233b084e49d66ac63943e7370bdcb3afdef
SHA256

35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef
SHA512

0b0bba5bb84de2be5f983438ff05fdef4d66aff7302045858254a50b8e75fdd1329a9edd90ad463b0a94087c84f7fd93ac96bb8a688b6f159d5c2e5e845298a0
SSDEEP

1536:J7kSVXrB7T0hoAOwC6NXFZcRGOgaRFOvA+v/T3YpKuz:9z1/0POX6NvPaRFOlv/k

Score

10^/10

globeimposter persistence ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ��0D 9A 32 19 EF 2F 76 9E 67 E1 CC A9 70 06 A8 D4 29 9D 98 43 19 38 40 46 72 0A 93 02 63 D8 82 DA 8F 89 23 79 29 06 83 51 EF 4D DA E1 73 80 78 3C C5 D2 28 C7 FC 4C B1 5B 1E 5A F8 B6 1C 69 D6 44 FA 6C FB 43 17 53 D7 88 BB 65 5E D7 8F BF 53 9A 58 D0 DA 6E 51 B5 A6 19 0E BF F6 D4 23 6E 60 5D 18 DB 8D 17 E9 EB D0 3F CE 9D 81 43 56 39 8D 94 7A B2 E1 DA 1F 82 98 CA B1 26 B7 7A FB 8D 4F 7B 1C FF 40 96 30 DE 63 41 8D D2 B0 83 82 12 DF 5B EF 9A 89 1F 7C 40 96 7B EF 93 13 65 D7 43 D6 96 5F 12 4F C0 09 8F CB 53 45 C7 06 CC AA AE D9 46 9A B0 42 BD C1 CD F0 74 B5 44 55 DA 73 A6 59 60 EB F5 FC B5 7E 71 74 73 6C 0A 32 D9 4A 1F 5A E9 F8 A8 69 03 11 F4 CB 25 2D 7B A8 52 7C 3B 93 67 66 47 DB 2A 3E CF 05 7A 21 6C E0 72 1E C5 29 03 A4 E3 3D 8A A7 5D 4E 4D CD 05 02 22 3B 5D F0 51

URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\OpenSuspend.crw => C:\Users\Admin\Pictures\OpenSuspend.crw.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\RestartPing.png => C:\Users\Admin\Pictures\RestartPing.png.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\StartEnable.tif => C:\Users\Admin\Pictures\StartEnable.tif.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\SubmitRedo.png => C:\Users\Admin\Pictures\SubmitRedo.png.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\ConfirmBackup.tif => C:\Users\Admin\Pictures\ConfirmBackup.tif.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\ExitLock.raw => C:\Users\Admin\Pictures\ExitLock.raw.r2u	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\GrantRequest.tiff	vbc.exe
File renamed	C:\Users\Admin\Pictures\GrantRequest.tiff => C:\Users\Admin\Pictures\GrantRequest.tiff.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\OpenWatch.crw => C:\Users\Admin\Pictures\OpenWatch.crw.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\TraceBackup.png => C:\Users\Admin\Pictures\TraceBackup.png.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromStop.raw => C:\Users\Admin\Pictures\ConvertFromStop.raw.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\DenyUnpublish.raw => C:\Users\Admin\Pictures\DenyUnpublish.raw.r2u	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\vbc.exe"	vbc.exe

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	vbc.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\desktop.ini	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1884 set thread context of 1020	1884	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	27

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\MMHMM.WAV	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTL.ICO	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Right.accdt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OMSMAIN.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.DPV	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.ICO	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTOC.DPV	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL092.XML	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_over.gif	vbc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBHD.DPV	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OFFOWC.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnWD.dll	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Office Word 2003 Look.dotx	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ProjectStatusReport.potx	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanMergeLetter.Dotx	vbc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Projects.accdt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_ON.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RCLRPT.CFG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Tags.accft	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGNL.ICO	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TAG.XSL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INTLDATE.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLPH.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\LightSpirit.css	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC	vbc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ASCIIENG.LNG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.DPV	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RELAY.CER	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHDHM.POC	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLTASKR.FAE	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS9CRNRH.POC	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.TH.XML	vbc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FRENCH.LNG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\DLGSETP.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_disable.gif	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif	vbc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZFORM.DPV	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RSPMECH.POC	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.JS	vbc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1020	vbc.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1020	1884	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	27
PID 1884 wrote to memory of 1020	1884	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	27
PID 1884 wrote to memory of 1020	1884	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	27
PID 1884 wrote to memory of 1020	1884	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	27
PID 1884 wrote to memory of 1020	1884	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	27
PID 1884 wrote to memory of 1020	1884	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	27
PID 1884 wrote to memory of 1020	1884	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	27

C:\Users\Admin\AppData\Local\Temp\35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe
"C:\Users\Admin\AppData\Local\Temp\35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: RenamesItself
  PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1020-55-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1020-58-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1020-61-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1020-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1020-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1884-54-0x0000000000150000-0x0000000000180000-memory.dmp

Filesize
192KB

Download