Overview

overview

10

Static

static

03221c14ba...a8.exe

windows7-x64

10

03221c14ba...a8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8

  • Size

    369KB

  • Sample

    220829-l5y3nsfebn

  • MD5

    9913416c1e459d6aa98f851e4072aa3e

  • SHA1

    17b4bb3ca5b2484d69a3bfb2b235d8e0eafebbae

  • SHA256

    03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8

  • SHA512

    bf1daf7445760fb36c7cd128d05920c53d5da95d52e8f68591b1b03b60ab4e1eda44346e166d18898d12d6f0a5e54ce2754f0e6781bab6f472b8dfa0b33a269c

  • SSDEEP

    3072:fjzXnwdjWXxTi+VnFEeLIehTjRwfq7oKDPAa50wPU6j6/nI3nR:fjzA6xT3EeMCTjRwfqUKDPt5xe/nWnR

Score
10/10
globeimposterpersistenceransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ���������B9 B4 91 A4 4C 63 AA 06 70 F8 1D 71 D2 FD 69 73 97 31 A6 FB FF D7 2F 6F E1 39 59 00 CB AB 1C 27 D0 24 C3 E5 02 05 91 C3 9F 1E B2 56 4E EA 61 7D EA 65 3F 89 E9 27 7A 02 80 37 4F 74 CE C5 CE 8D 91 EA C5 A3 AE 00 26 24 49 1D BC 90 14 0C FA FD D4 6E 5B E3 3A 3F CF 02 11 78 59 76 1F 34 7C 35 D5 29 46 53 55 BE FA B3 14 4E 14 87 58 C2 ED B1 EB 71 1C AB 36 FF C1 12 84 1D E6 F7 49 FE A3 74 20 04 35 2B 05 7F 77 49 DB A6 3C 4C 8B A5 29 5E 02 0E B4 67 A5 39 C3 F2 6F 1D B3 C8 A2 88 4E 41 66 83 E5 5E D3 92 C9 BF 03 34 42 69 1E 95 5A 95 A9 50 89 99 E9 BA A9 0A 0F A5 D4 4C 79 01 A8 21 0D 02 6C 86 80 64 90 38 16 49 9E E3 3B 63 0B 51 BD 34 5A 3E DC 24 9B D9 B4 40 94 F4 7C 13 43 F8 A8 30 B9 4A 35 8D 36 21 22 BD 05 64 AA D9 A3 03 F1 AE FA D5 BD 30 2B 71 B4 DF 2B C0 72 84 92 35
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ���������9C C9 CF 0D B7 17 3E 30 9E 55 84 C6 2C DC 24 3C 73 D8 AE 1D 24 10 BC 17 46 44 BC E4 57 CB B1 1F 37 0C A4 50 56 98 50 C6 A2 FB 49 75 70 08 FC EB AC 82 AD E0 06 D3 6C 45 41 46 AA 94 C1 F6 37 FE 38 E0 7D EB B1 41 E5 24 D5 77 3B 4A DB 59 FC FD AB 3C F6 CF 55 93 01 02 F7 01 51 0C 8A 9D F0 59 B0 1A C7 13 FA DB 27 82 BA 10 10 5F 62 B7 86 AC 2E 21 F1 08 A1 56 64 DF 78 83 63 C1 91 C2 2B 67 D3 AD 58 57 F1 DB EE 09 A5 EA EF 1D 79 05 B5 C6 E2 76 E9 E4 1E B3 6C 87 B6 7A 12 77 E2 38 15 E8 F3 10 20 B5 9A FA 0D BE 6E 0E 6D 94 B9 AA 66 28 4C B8 E1 A6 AA 61 9E 19 2C 38 F8 16 33 43 61 EC 66 95 60 D9 5F A5 21 D5 44 C8 7E BD 7A E1 94 A7 AA 5F 72 5A E9 16 C0 95 48 E2 1D 2D AD 92 E2 7C 68 0B 86 BD 40 72 93 2E 4B 2D C7 6C EC 50 4A 2E 96 3F 0F 61 C3 C6 E9 A2 92 F3 AC 62 70 CD 27 9F
URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Targets

    • Target

      03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8

    • Size

      369KB

    • MD5

      9913416c1e459d6aa98f851e4072aa3e

    • SHA1

      17b4bb3ca5b2484d69a3bfb2b235d8e0eafebbae

    • SHA256

      03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8

    • SHA512

      bf1daf7445760fb36c7cd128d05920c53d5da95d52e8f68591b1b03b60ab4e1eda44346e166d18898d12d6f0a5e54ce2754f0e6781bab6f472b8dfa0b33a269c

    • SSDEEP

      3072:fjzXnwdjWXxTi+VnFEeLIehTjRwfq7oKDPAa50wPU6j6/nI3nR:fjzA6xT3EeMCTjRwfqUKDPt5xe/nWnR

    Score
    10/10
    globeimposterpersistenceransomware

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

      ransomwareglobeimposter

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks