Overview

overview

10

Static

static

24dbecb4c8...1a.exe

windows7-x64

10

24dbecb4c8...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2022 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a.exe

  • Size

    412KB

  • MD5

    4aae92d39c5aca5fba29bf92cf6b84d2

  • SHA1

    f023ad70ebc5486f479c4f100fccb42e6c79909a

  • SHA256

    24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a

  • SHA512

    8e923140617910155b30821e50893f8b9bdbb97a1efc6cc18f4f7afb8d3a187662874f83963f345477ee9a769f29dc3670d350ac6d6e04468c8bc510acc289bd

  • SSDEEP

    12288:g7TtcP/wjj/SkZW7zy7nzo1NmN8a4jpxE/P:g7RcP/wvqkZNonmN8a4jpxK

Score
10/10
globeimposterevasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���55 61 D5 6B FF 66 B7 16 6C 96 6E 41 7A F1 04 86 E7 3F 5C BE 5D 5C A4 3C B1 C1 BD 09 D8 46 92 06 4F AF D7 29 0E 73 5D 7F D4 2E 28 AD FD 7D C4 30 8B 62 04 68 F1 8A A2 CF 93 F8 D1 20 05 A6 B4 74 01 E7 A0 A6 5D 65 BD 64 B5 C0 29 05 4B 3D 26 B7 05 A8 37 C8 7F 81 62 37 F5 34 EB 11 1D B3 E5 BB 84 24 99 62 8B 3F DE A2 0F 82 40 E2 D2 7D DE A5 6C 60 C4 71 BE DB A3 01 FD A4 28 14 E2 0D CB C6 06 F6 64 DA DD 51 14 C0 91 E8 67 B5 62 9C 09 F5 F3 FF B0 E6 5F 08 B5 92 5F C6 69 06 83 60 EE 11 A5 CA 76 2C E0 FA F6 B1 13 96 71 47 07 60 52 54 25 72 5D 88 99 3F F2 F9 4E 3E 5B DF 86 5D CD 45 8F 32 85 B9 23 FB CF 9F 1D B9 19 20 F3 7E B4 F9 FF 08 C5 8F 3F 82 2B EF E1 8D BA C6 7E 92 E0 99 90 32 4A 3D C8 E6 82 47 25 12 5C 1E 0A 59 54 44 E0 0D 75 72 3A E7 1A 24 2B 6A 4A 5A B1 BE 15 76
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Nirsoft 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 28 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a.exe
    "C:\Users\Admin\AppData\Local\Temp\24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\䵄䵃䵆䵳䵉䵒䵆䵵䵆䵈䵈䵅䵳䵹䵲\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3364
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\䵄䵃䵆䵳䵉䵒䵆䵵䵆䵈䵈䵅䵳䵹䵲\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Users\Admin\AppData\Local\Temp\e27064c6-4ed7-407e-b0f8-2de8a718ccc7\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\e27064c6-4ed7-407e-b0f8-2de8a718ccc7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e27064c6-4ed7-407e-b0f8-2de8a718ccc7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Users\Admin\AppData\Local\Temp\e27064c6-4ed7-407e-b0f8-2de8a718ccc7\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\e27064c6-4ed7-407e-b0f8-2de8a718ccc7\AdvancedRun.exe" /SpecialRun 4101d8 832
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4948
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\24dbecb4c87b30914d6a2e9a56af89d6e01ac6f35c200cf139cdf120eb1e541a.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4276
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
      2⤵
        PID:3068
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
        2⤵
          PID:4384
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          2⤵
            PID:1928
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 80
              3⤵
              • Program crash
              PID:1132
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
            2⤵
            • Modifies extensions of user files
            • Adds Run key to start application
            • Drops desktop.ini file(s)
            • Drops file in Program Files directory
            • Suspicious behavior: RenamesItself
            PID:3716
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1928 -ip 1928
          1⤵
            PID:4876

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            3d086a433708053f9bf9523e1d87a4e8

            SHA1

            b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

            SHA256

            6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

            SHA512

            931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            64B

            MD5

            787af9fb0403ef6d772613ace4a3369c

            SHA1

            0bd837010222d20bf2465bcb4cf3e9b0a5e6716e

            SHA256

            1773c1637ffc485d2233e10472e8cef1f6689fbf34d35d044dec9cf6cc2f9810

            SHA512

            20010271c78da4f2fc70f014335128e201db61f5d36b911ad144be2fc2e8827b44cfd6a0f64fe32d71cf4ec0f4751a105066218efbd12874092a828f25bcb929

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            81dff273add49c3cc88d505229291465

            SHA1

            318483b59b3f5cfc67e6dc3152425a131724dc33

            SHA256

            028e560dd3842ef1e419b79746dbf1c54c31c88cc47c0528b9c47f2b1484c6b1

            SHA512

            d6052e273e61494d227fc7b7e504f55885567185eae2a3dacf7bd0cf063fbaf4ec6428c903334b882374e82a3846a5e019fcec3378d8cfc5906e4ac8439c5b0d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            81dff273add49c3cc88d505229291465

            SHA1

            318483b59b3f5cfc67e6dc3152425a131724dc33

            SHA256

            028e560dd3842ef1e419b79746dbf1c54c31c88cc47c0528b9c47f2b1484c6b1

            SHA512

            d6052e273e61494d227fc7b7e504f55885567185eae2a3dacf7bd0cf063fbaf4ec6428c903334b882374e82a3846a5e019fcec3378d8cfc5906e4ac8439c5b0d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e27064c6-4ed7-407e-b0f8-2de8a718ccc7\AdvancedRun.exe
            Filesize

            88KB

            MD5

            17fc12902f4769af3a9271eb4e2dacce

            SHA1

            9a4a1581cc3971579574f837e110f3bd6d529dab

            SHA256

            29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

            SHA512

            036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e27064c6-4ed7-407e-b0f8-2de8a718ccc7\AdvancedRun.exe
            Filesize

            88KB

            MD5

            17fc12902f4769af3a9271eb4e2dacce

            SHA1

            9a4a1581cc3971579574f837e110f3bd6d529dab

            SHA256

            29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

            SHA512

            036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\e27064c6-4ed7-407e-b0f8-2de8a718ccc7\AdvancedRun.exe
            Filesize

            88KB

            MD5

            17fc12902f4769af3a9271eb4e2dacce

            SHA1

            9a4a1581cc3971579574f837e110f3bd6d529dab

            SHA256

            29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

            SHA512

            036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

            Download Submit

          • C:\Users\Public\Documents\䵄䵃䵆䵳䵉䵒䵆䵵䵆䵈䵈䵅䵳䵹䵲\svchost.exe
            Filesize

            412KB

            MD5

            a92765d045c60f063380907cf6cff8f1

            SHA1

            d0ebdb42d14ea294edbe0eb8199c17dc51b25c63

            SHA256

            56f2b4b441125cd10e38d330e938f17ee8220ab9f53fd187ee551660ccf3e8fb

            SHA512

            cffc1877117fab1d940cc44bd732eb3807478c5c42aa8aa324b1ee8c4843ef5b3c727814fef18f3b2ee4fc11c21c803e986d7a7b20c48ca04f3210ac08a08cdd

            Download Submit

          • memory/1620-140-0x0000000002640000-0x0000000002676000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1620-161-0x00000000072D0000-0x00000000072DA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1620-163-0x0000000007490000-0x000000000749E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1620-155-0x000000006FEF0000-0x000000006FF3C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1620-145-0x00000000058A0000-0x0000000005906000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1620-142-0x0000000005200000-0x0000000005828000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/1928-173-0x0000000000400000-0x00000000004002F9-memory.dmp

            Filesize

            761B

            Download

          • memory/2368-143-0x0000000004FA0000-0x0000000005032000-memory.dmp

            Filesize

            584KB

            Download

          • memory/2368-137-0x0000000004E60000-0x0000000004EFC000-memory.dmp

            Filesize

            624KB

            Download

          • memory/2368-136-0x0000000005370000-0x0000000005914000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2368-147-0x0000000004E50000-0x0000000004E5A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2368-135-0x0000000000450000-0x00000000004BE000-memory.dmp

            Filesize

            440KB

            Download

          • memory/2552-157-0x0000000006870000-0x000000000688E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2552-151-0x0000000005F10000-0x0000000005F2E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2552-159-0x00000000075D0000-0x00000000075EA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2552-162-0x0000000007850000-0x00000000078E6000-memory.dmp

            Filesize

            600KB

            Download

          • memory/2552-156-0x000000006FEF0000-0x000000006FF3C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2552-165-0x00000000078F0000-0x00000000078F8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2552-154-0x0000000007480000-0x00000000074B2000-memory.dmp

            Filesize

            200KB

            Download

          • memory/3364-164-0x0000000007240000-0x000000000725A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3364-144-0x0000000004B50000-0x0000000004B72000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3364-160-0x0000000007540000-0x0000000007BBA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/3364-158-0x000000006FEF0000-0x000000006FF3C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/3364-146-0x00000000055A0000-0x0000000005606000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3716-177-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/3716-179-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/3716-180-0x0000000000400000-0x000000000040F000-memory.dmp

            Filesize

            60KB

            Download

          • memory/4276-175-0x000000006FBF0000-0x000000006FC3C000-memory.dmp

            Filesize

            304KB

            Download