globeimposter | 03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8

Analysis

max time kernel
151s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2022 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe
Size

369KB
MD5

9913416c1e459d6aa98f851e4072aa3e
SHA1

17b4bb3ca5b2484d69a3bfb2b235d8e0eafebbae
SHA256

03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8
SHA512

bf1daf7445760fb36c7cd128d05920c53d5da95d52e8f68591b1b03b60ab4e1eda44346e166d18898d12d6f0a5e54ce2754f0e6781bab6f472b8dfa0b33a269c
SSDEEP

3072:fjzXnwdjWXxTi+VnFEeLIehTjRwfq7oKDPAa50wPU6j6/nI3nR:fjzA6xT3EeMCTjRwfqUKDPt5xe/nWnR

Score

10^/10

globeimposter persistence ransomware

Malware Config

Extracted

Path

C:\readme.txt

Family

globeimposter

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ Your ID ��9C C9 CF 0D B7 17 3E 30 9E 55 84 C6 2C DC 24 3C 73 D8 AE 1D 24 10 BC 17 46 44 BC E4 57 CB B1 1F 37 0C A4 50 56 98 50 C6 A2 FB 49 75 70 08 FC EB AC 82 AD E0 06 D3 6C 45 41 46 AA 94 C1 F6 37 FE 38 E0 7D EB B1 41 E5 24 D5 77 3B 4A DB 59 FC FD AB 3C F6 CF 55 93 01 02 F7 01 51 0C 8A 9D F0 59 B0 1A C7 13 FA DB 27 82 BA 10 10 5F 62 B7 86 AC 2E 21 F1 08 A1 56 64 DF 78 83 63 C1 91 C2 2B 67 D3 AD 58 57 F1 DB EE 09 A5 EA EF 1D 79 05 B5 C6 E2 76 E9 E4 1E B3 6C 87 B6 7A 12 77 E2 38 15 E8 F3 10 20 B5 9A FA 0D BE 6E 0E 6D 94 B9 AA 66 28 4C B8 E1 A6 AA 61 9E 19 2C 38 F8 16 33 43 61 EC 66 95 60 D9 5F A5 21 D5 44 C8 7E BD 7A E1 94 A7 AA 5F 72 5A E9 16 C0 95 48 E2 1D 2D AD 92 E2 7C 68 0B 86 BD 40 72 93 2E 4B 2D C7 6C EC 50 4A 2E 96 3F 0F 61 C3 C6 E9 A2 92 F3 AC 62 70 CD 27 9F

URLs

http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST4HYJUHGFV

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

vbc.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AddHide.png => C:\Users\Admin\Pictures\AddHide.png.r2u	vbc.exe
File renamed	C:\Users\Admin\Pictures\GetUse.tif => C:\Users\Admin\Pictures\GetUse.tif.r2u	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\vbc.exe"	vbc.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

vbc.exe

description	ioc	Process
File opened for modification	C:\Users\Public\Downloads\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	vbc.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	vbc.exe
File opened for modification	C:\Program Files\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	vbc.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	vbc.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe

description	pid	Process	procid_target
PID 708 set thread context of 4392	708	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	83

Drops file in Program Files directory 64 IoCs

Processes:

vbc.exe

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Glasses.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\20.png	vbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CSIRESOURCES.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css	vbc.exe
File opened for modification	C:\Program Files\ReadResume.dll	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-100.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Wood.jpg	vbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\powerpivot.x-none.msi.16.x-none.vreg.dat	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LargeTile.scale-125_contrast-white.png	vbc.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\readme.txt	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\MedTile.scale-100.png	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\framework-dev.js	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nothumbnail_34.svg	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\SmallTile.scale-100_contrast-black.png	vbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.dll	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png	vbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-60_contrast-black.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FetchingMail.scale-100.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-black.png	vbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SmallTile.scale-125_contrast-black.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125_contrast-white.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-100.png	vbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OSF.DLL	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\ui-strings.js	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\readme.txt	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-400.png	vbc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\AppStore_icon.svg	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-100.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunchdlg.html	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\javascript_poster.jpg	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VRecMDL2.ttf	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalSplashScreen.scale-200_contrast-black.png	vbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\readme.txt	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-200.png	vbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.boot.tree.dat	vbc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\readme.txt	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-36_altform-unplated.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated_contrast-white.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	vbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-heap-l1-1-0.dll	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-16_altform-unplated.png	vbc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageLargeTile.scale-125_contrast-white.png	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\ui-strings.js	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons.png	vbc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg	vbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll	vbc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png	vbc.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

vbc.exe

pid	Process
4392	vbc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe

description	pid	Process	procid_target
PID 708 wrote to memory of 4392	708	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	83
PID 708 wrote to memory of 4392	708	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	83
PID 708 wrote to memory of 4392	708	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	83
PID 708 wrote to memory of 4392	708	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	83
PID 708 wrote to memory of 4392	708	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	83
PID 708 wrote to memory of 4392	708	03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe	83

C:\Users\Admin\AppData\Local\Temp\03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe
"C:\Users\Admin\AppData\Local\Temp\03221c14baf01f212678ab40bce0bda4d4d1707f7978dca4fff2c1cc77da16a8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: RenamesItself
  PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/708-132-0x0000000000A60000-0x0000000000AC2000-memory.dmp

Filesize
392KB

Download
memory/4392-133-0x0000000000000000-mapping.dmp

Download
memory/4392-134-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4392-136-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4392-137-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download