globeimposter | 03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-08-2022 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe
Size

369KB
MD5

9913416c1e459d6aa98f851e4072aa3e
SHA1

17b4bb3ca5b2484d69a3bfb2b235d8e0eafebbae
SHA256

03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8
SHA512

bf1daf7445760fb36c7cd128d05920c53d5da95d52e8f68591b1b03b60ab4e1eda44346e166d18898d12d6f0a5e54ce2754f0e6781bab6f472b8dfa0b33a269c
SSDEEP

3072:fjzXnwdjWXxTi+VnFEeLIehTjRwfq7oKDPAa50wPU6j6/nI3nR:fjzA6xT3EeMCTjRwfqUKDPt5xe/nWnR

Score

10^/10

globeimposter persistence ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ��B9 B4 91 A4 4C 63 AA 06 70 F8 1D 71 D2 FD 69 73 97 31 A6 FB FF D7 2F 6F E1 39 59 00 CB AB 1C 27 D0 24 C3 E5 02 05 91 C3 9F 1E B2 56 4E EA 61 7D EA 65 3F 89 E9 27 7A 02 80 37 4F 74 CE C5 CE 8D 91 EA C5 A3 AE 00 26 24 49 1D BC 90 14 0C FA FD D4 6E 5B E3 3A 3F CF 02 11 78 59 76 1F 34 7C 35 D5 29 46 53 55 BE FA B3 14 4E 14 87 58 C2 ED B1 EB 71 1C AB 36 FF C1 12 84 1D E6 F7 49 FE A3 74 20 04 35 2B 05 7F 77 49 DB A6 3C 4C 8B A5 29 5E 02 0E B4 67 A5 39 C3 F2 6F 1D B3 C8 A2 88 4E 41 66 83 E5 5E D3 92 C9 BF 03 34 42 69 1E 95 5A 95 A9 50 89 99 E9 BA A9 0A 0F A5 D4 4C 79 01 A8 21 0D 02 6C 86 80 64 90 38 16 49 9E E3 3B 63 0B 51 BD 34 5A 3E DC 24 9B D9 B4 40 94 F4 7C 13 43 F8 A8 30 B9 4A 35 8D 36 21 22 BD 05 64 AA D9 A3 03 F1 AE FA D5 BD 30 2B 71 B4 DF 2B C0 72 84 92 35

URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

vbc.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SelectNew.tiff	vbc.exe
File renamed	C:\Users\Admin\Pictures\SelectNew.tiff => C:\Users\Admin\Pictures\SelectNew.tiff.r2u	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\SplitEnable.tiff	vbc.exe
File renamed	C:\Users\Admin\Pictures\SplitEnable.tiff => C:\Users\Admin\Pictures\SplitEnable.tiff.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\SuspendConnect.tif => C:\Users\Admin\Pictures\SuspendConnect.tif.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\DenyInstall.tif => C:\Users\Admin\Pictures\DenyInstall.tif.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\EditConfirm.crw => C:\Users\Admin\Pictures\EditConfirm.crw.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\FindRename.png => C:\Users\Admin\Pictures\FindRename.png.r2u	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\vbc.exe"	vbc.exe

Drops desktop.ini file(s) 36 IoCs

Processes:

vbc.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	vbc.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	vbc.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	vbc.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	vbc.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	vbc.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	vbc.exe
File opened for modification	C:\Program Files\desktop.ini	vbc.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	vbc.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe

description	pid	Process	procid_target
PID 1544 set thread context of 904	1544	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	27

Drops file in Program Files directory 64 IoCs

Processes:

vbc.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\Microsoft.Synchronization.dll	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGNL.ICO	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34F.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00828_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00913_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153313.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\background.gif	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183168.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00242_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14655_.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205466.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0293832.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PG_INDEX.XML	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ORG97.SAM	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTS.ICO	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DESKSAM.SAM	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01242_.WMF	vbc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Merida	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18228_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152694.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTEAR.DPV	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RES98.POC	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_OFF.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD20013_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107712.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JNGLE_01.MID	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP	vbc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo	vbc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Foundry.thmx	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187835.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Sign.xsn	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00403_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.JP.XML	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLINTL32.DLL.IDX_DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00941_.WMF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\IPOLKINTL.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR10F.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS	vbc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_fr.dll	vbc.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QRYINT32.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02127_.WMF	vbc.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui	vbc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hovd	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CERTINTL.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21448_.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14832_.GIF	vbc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02252_.WMF	vbc.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

vbc.exe

pid	Process
904	vbc.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe

description	pid	Process	procid_target
PID 1544 wrote to memory of 904	1544	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	27
PID 1544 wrote to memory of 904	1544	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	27
PID 1544 wrote to memory of 904	1544	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	27
PID 1544 wrote to memory of 904	1544	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	27
PID 1544 wrote to memory of 904	1544	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	27
PID 1544 wrote to memory of 904	1544	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	27
PID 1544 wrote to memory of 904	1544	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	27

C:\Users\Admin\AppData\Local\Temp\03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe
"C:\Users\Admin\AppData\Local\Temp\03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: RenamesItself
  PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-55-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/904-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/904-58-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/904-59-0x0000000000409F20-mapping.dmp

Download
memory/904-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/904-61-0x0000000075D31000-0x0000000075D33000-memory.dmp

Filesize
8KB

Download
memory/904-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1544-54-0x0000000001000000-0x0000000001062000-memory.dmp

Filesize
392KB

Download