globeimposter | 35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2022 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe
Size

170KB
MD5

c6b7bfd71bd9266d2f6a7765d792e8f5
SHA1

cfecd233b084e49d66ac63943e7370bdcb3afdef
SHA256

35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef
SHA512

0b0bba5bb84de2be5f983438ff05fdef4d66aff7302045858254a50b8e75fdd1329a9edd90ad463b0a94087c84f7fd93ac96bb8a688b6f159d5c2e5e845298a0
SSDEEP

1536:J7kSVXrB7T0hoAOwC6NXFZcRGOgaRFOvA+v/T3YpKuz:9z1/0POX6NvPaRFOlv/k

Score

10^/10

globeimposter persistence ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ��71 DA F2 65 19 8C 82 DC BD F0 53 B2 E1 A0 82 E3 EE 01 F9 2E D0 99 ED 73 DD D4 D8 00 D6 CE DA 18 39 CC AA 60 2B AB E2 30 B1 CF 29 52 82 EC 55 65 EC BE 7F 46 11 8F D1 C0 2A BF 6A EB 52 6D 31 F2 25 7F 3B 6E 4F 8E C6 9A 49 1A DE 54 9D 7B 68 CA 36 3F CE DF B8 B6 9F 1D B7 3A 40 05 1A A3 AB DF E0 71 FA 0E 91 E2 26 B4 FB 40 DA D8 88 2B 1D 01 01 6F 29 B4 D6 5C 44 DE 55 39 D6 10 A8 6D 39 62 F3 66 B5 58 E2 B0 5F 20 1E 30 87 AC 87 21 90 15 D4 BD 7C 2B 6E B4 29 7C C7 4F 44 81 8F A6 4C DD 18 BB DD 52 0B BC E9 4E 76 2B 91 2D CA E8 E7 01 0E A3 03 8B BA ED 36 30 EF 0F 80 DC 66 17 D6 18 19 56 8E 6F 33 9F D7 88 4F 9B 78 AF 0F 5E 67 7F E0 82 14 62 EB 5E 57 35 FA 19 22 A8 81 DD E1 97 2D E3 62 F4 56 84 DB 5C 9D C8 A5 69 F3 91 0C 22 43 34 04 AC 53 A8 3B 75 25 D6 73 13 17 2B 00 AD

URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SearchMount.tiff	vbc.exe
File renamed	C:\Users\Admin\Pictures\SearchMount.tiff => C:\Users\Admin\Pictures\SearchMount.tiff.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\StepResize.crw => C:\Users\Admin\Pictures\StepResize.crw.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\UninstallPing.tif => C:\Users\Admin\Pictures\UninstallPing.tif.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\ReceiveUpdate.crw => C:\Users\Admin\Pictures\ReceiveUpdate.crw.r2u	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\vbc.exe"	vbc.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	vbc.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3988 set thread context of 2968	3988	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	83

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main-selector.css	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ar_get.svg	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-tw_get.svg	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\readme.txt	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_ru_135x40.svg	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\DirectInk.dll	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-gb\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ko_135x40.svg	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.png	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_mr.dll	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\it-it\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-no-text.gif	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr.gif	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\selector.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ko_get.svg	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\readme.txt	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\readme.txt	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\PlayStore_icon.svg	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close-2.svg	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr-2x.png	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons_ie8.gif	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\ui-strings.js	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\readme.txt	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main-selector.css	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\AppStore_icon.svg	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-BoldIt.otf	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fi_135x40.svg	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fr_get.svg	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons_retina.png	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nl-nl\ui-strings.js	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\ui-strings.js	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\readme.txt	vbc.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2968	vbc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 2968	3988	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	83
PID 3988 wrote to memory of 2968	3988	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	83
PID 3988 wrote to memory of 2968	3988	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	83
PID 3988 wrote to memory of 2968	3988	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	83
PID 3988 wrote to memory of 2968	3988	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	83
PID 3988 wrote to memory of 2968	3988	35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe	83

C:\Users\Admin\AppData\Local\Temp\35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe
"C:\Users\Admin\AppData\Local\Temp\35fc2092e400f3e94384de93ca5f4293f1bc6607a76b20d4702c0372eea132ef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: RenamesItself
  PID:2968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2968-134-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2968-136-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2968-137-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3988-132-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download