Overview

overview

10

Static

static

1b82a0c989...93.exe

windows7-x64

7

1b82a0c989...93.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393

  • Size

    72KB

  • Sample

    220825-ldcqcsbge9

  • MD5

    0a394ea5a6a326d2b8a0f7d6ba4bbd82

  • SHA1

    c1e1ad4bab9727d1ff3a0788c51edc223f53f097

  • SHA256

    1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393

  • SHA512

    f7388719ada155e354434b57b438e20c23db44ddf3cf1b4552715d371aec3c5f834992c08eca63b58051472a92996b4d2bb51b1fa5a7671f6c33c731c20bb902

  • SSDEEP

    768:7BcNSpIMgsDi8giO5KLC8MkGPXsADPGL69QKN/ZfdV1+nAZjEMzsyy:Fc4IuDdgN5TkGP8A7EUnhV+nAZjE4a

Score
10/10
globeimposterpersistenceransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ���������02 E9 8C 5D 31 EA 6D 5E 18 9B 3A 52 46 4E 11 D4 5D D6 9C 7C 2C CB E1 00 39 04 85 AB 8F 50 FD 5D 46 7D 97 3E 53 BE B7 DB DA E7 64 67 53 AA A5 2F 57 AB E4 4C 6C 10 6E A0 5B A8 68 60 6F D6 20 C2 32 33 7C 16 1E 2E 36 4B 4F 2F D5 D9 B1 03 43 57 CA FA 3C 84 CB D2 CC 13 B7 49 FC 7F 75 2C 42 46 81 5A 19 0A BC 1B 40 BD 40 BA 4F F8 0C 45 7E 67 12 6D 5B 3F 73 41 32 EB 5E 0C 67 A2 CF 35 55 C8 64 29 E9 A6 5B 40 64 46 72 49 68 5B 09 E0 1B FB C7 C2 57 AC E7 0B 89 5B E5 A7 63 B0 7B E9 99 A9 BA 75 E1 14 EC 88 BD 22 44 E3 25 8C 94 47 B3 1C 27 F1 A3 32 09 11 D8 02 7F 33 D5 32 77 4C 7B 12 BF B5 F1 A7 82 F4 46 0C 3B AF 02 CC 93 D4 6A EC DA E2 6D D5 82 75 B1 88 71 23 06 03 42 AF E0 33 B4 23 36 EE 76 7C F9 85 44 5D CD 52 4B 77 51 66 9C 4E 84 5A AE AB FA 56 70 B4 2B 7D 12 C9 50 E4
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Targets

    • Target

      1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393

    • Size

      72KB

    • MD5

      0a394ea5a6a326d2b8a0f7d6ba4bbd82

    • SHA1

      c1e1ad4bab9727d1ff3a0788c51edc223f53f097

    • SHA256

      1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393

    • SHA512

      f7388719ada155e354434b57b438e20c23db44ddf3cf1b4552715d371aec3c5f834992c08eca63b58051472a92996b4d2bb51b1fa5a7671f6c33c731c20bb902

    • SSDEEP

      768:7BcNSpIMgsDi8giO5KLC8MkGPXsADPGL69QKN/ZfdV1+nAZjEMzsyy:Fc4IuDdgN5TkGP8A7EUnhV+nAZjE4a

    Score
    10/10
    globeimposterpersistenceransomware

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks