globeimposter | 1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb

Resubmissions

06-03-2023 04:51

230306-fg2wrsac3t 8

25-02-2023 05:08

230225-fsjvbscc39 10

Analysis

max time kernel
132s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-02-2023 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
Size

53KB
MD5

4a6a6b20f1cf998265b089feb5012ac7
SHA1

aa88da5ce9890bdf997f221a298ca18647f26288
SHA256

1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb
SHA512

2a103455f0665bf1a52b18c9cd2a7d21ec16e92bf061a7f4890f970705fcaddd6770fc86d88b84e855cdae4f196eb589f05a43d0ac809d00e8cd99b6daa08883
SSDEEP

768:83vuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5YvgO6:8TeytM3alnawrRIwxVSHMweio3+4O

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\BackupInitialize.png => C:\Users\Admin\Pictures\BackupInitialize.png.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\ConfirmTest.tif => C:\Users\Admin\Pictures\ConfirmTest.tif.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\ConvertToStop.tif => C:\Users\Admin\Pictures\ConvertToStop.tif.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\MountSuspend.png => C:\Users\Admin\Pictures\MountSuspend.png.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\PushLock.png => C:\Users\Admin\Pictures\PushLock.png.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\StopPublish.png => C:\Users\Admin\Pictures\StopPublish.png.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\UnprotectMeasure.raw => C:\Users\Admin\Pictures\UnprotectMeasure.raw.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File renamed	C:\Users\Admin\Pictures\WaitRedo.png => C:\Users\Admin\Pictures\WaitRedo.png.lockfiles	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
852	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe"	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

Drops file in Program Files directory 64 IoCs

Processes:

1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files\Microsoft Games\Chess\fr-FR\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00212_.WMF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignleft.gif	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\ATPVBAEN.XLAM	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosecolor.gif	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_OFF.GIF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files\Microsoft Games\Chess\ja-JP\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01358_.WMF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL98.POC	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107502.WMF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198016.WMF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00932_.WMF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.BR.XML	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\INFOML.ICO	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18205_.WMF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBBTN.XML	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tijuana	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\HEADER.GIF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECRECS.ICO	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090783.WMF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.DPV	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0295069.WMF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port-au-Prince	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\how_to_back_files.html	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.DPV	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid_over.gif	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21327_.GIF	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe

description	pid	Process	procid_target
PID 1392 wrote to memory of 852	1392	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe	29
PID 1392 wrote to memory of 852	1392	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe	29
PID 1392 wrote to memory of 852	1392	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe	29
PID 1392 wrote to memory of 852	1392	1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe	29

C:\Users\Admin\AppData\Local\Temp\1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe
"C:\Users\Admin\AppData\Local\Temp\1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1532bba40b917d274d0b3dc2b27c5feacae985ba425f3cffcb5e963e20af5bcb.exe > nul
  2⤵
  - Deletes itself
  PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Music\Sample Music\how_to_back_files.html

Filesize
4KB

MD5
55fef323ee2f9ab32a2752955e2e4425

SHA1
a042c395612e98789f9499a3f5d84c5cff85866e

SHA256
5cb5ff799c0e186a99720c76f8f7d087808d7fc61fbd1708142cd3fa2029b842

SHA512
1ff97eae490e9a4a8f3625570bcd586b06a69a6730840f90f34521434dbf6de568647d5544f0ba0de54b338d99f6aa2c68c59124a0ff5fca35a66cb4da1a7c48

Download Submit
memory/1392-92-0x0000000000400000-0x000000000040E200-memory.dmp

Filesize
56KB

Download