General

  • Target

    36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe

  • Size

    454KB

  • Sample

    230911-qckf2agc96

  • MD5

    2c72015e22b53c215403979536bce826

  • SHA1

    39eb8e3c2cef23d1c7a3f5c3133f40ecc98c1cf1

  • SHA256

    36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd

  • SHA512

    0d2e590b0c32de661ab94c0f7a0eccbbc2bac637120b0148e04b05a826ca5858e6d147e0011bd5094f260e5ff0d3dafbf9bc2c4df099adc3ac5c98d50b6df4b1

  • SSDEEP

    6144:ARkz9/pOuAXNjskDoLHq/97BJBNcplFbs4NhulBngyAyLo59QeW:AK5ppmNjluHqVVxcFbsK8fnrS9Q

Malware Config

Extracted

Path

C:\Users\Public\Videos\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���87 05 F7 ED D5 BA 3A 12 80 DF 45 48 48 89 A2 C4 B6 3B 56 4B 60 76 67 7C F9 5B 18 0D 6D CC BC 41 45 05 C1 32 FD CF 6C 56 92 45 4F 6A B2 09 4E 9E FF B9 1E AE EF 93 79 29 B3 B2 94 61 AA 57 DE D8 FF 06 6B D5 2C 78 FA C4 87 56 31 2D 8E 59 74 C8 6B F0 29 FF D6 26 FE 32 6A CA 10 E6 A1 DB 0C AC 92 D6 3E DB 59 84 0E AB 2C EF 8A 04 92 ED B0 EA CE 97 4C 18 11 7D 0D 62 69 23 23 1F 94 4F 9B EB 66 2A 8D AB A8 09 97 5E F4 E1 F0 02 A6 32 9D 21 12 1E 2E C9 BD 05 DE D2 CB 97 79 FA F4 DA D8 80 D6 31 4A E5 32 1F A5 54 9B A2 BA AF E9 A4 5B D7 75 79 73 48 2D 1F E5 D6 2D AC 8C 64 69 8B BC B9 EB 09 6E 1D 0B A2 62 E0 4B 52 22 CA F1 77 72 10 03 8C 86 F4 D8 69 5C 64 A0 6E 47 D8 9B 52 40 77 9F 66 81 F8 49 5C 70 0E 5B D2 E6 B6 91 79 B8 F0 48 B8 27 64 E3 FE BD 39 47 41 5A D8 5E 3B F5 80
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Extracted

Path

C:\Users\Public\Videos\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���62 32 DE E4 66 74 57 30 A0 DB F2 F6 3F 8A 2E 9B C8 A4 A0 F1 40 63 35 C4 24 13 D9 92 1D 5A 96 E3 D8 16 EF 46 F1 B3 82 41 83 83 18 5B 4C 58 95 C0 11 DC 06 96 E4 08 41 0C 29 E0 E7 C6 7B 2E BD DE FA 4B F1 9F 78 2E E3 B7 45 3E 1E 48 16 3F C0 C6 3A 3F 27 E0 CC 3B 82 85 1F 7F 28 2F 60 FF F9 16 CB 68 7F 5B 49 EC 2C 1B D7 CD 1D 90 53 00 1E C4 92 0F 32 E4 73 56 BF 4B 97 51 1D 46 95 A6 DC 59 4E 19 4A 68 9E 05 BC E5 21 E5 5C 7C 50 38 B4 7F 32 8C 1B 8F 4C 12 F2 CF 3F 5E FA D0 17 95 84 AE 33 E7 5A 8F 03 4B 27 11 F0 5D 58 A5 66 64 7F 71 34 92 71 E0 46 A4 40 E0 38 94 49 5C 30 80 6D 2C 83 AB DC AC 7C 6E 3A 70 5F 64 2A 8C E2 92 2A 12 34 8A BC 8E BB 1C 61 36 AA E2 D9 BD CB 25 6B 25 93 38 2C 36 4D 52 71 F7 97 CB 6E 76 26 EA B8 39 F6 AA D4 6E 76 69 47 CE 8E 8B BC 91 64 43 53 64
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Targets

    • Target

      36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe

    • Size

      454KB

    • MD5

      2c72015e22b53c215403979536bce826

    • SHA1

      39eb8e3c2cef23d1c7a3f5c3133f40ecc98c1cf1

    • SHA256

      36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd

    • SHA512

      0d2e590b0c32de661ab94c0f7a0eccbbc2bac637120b0148e04b05a826ca5858e6d147e0011bd5094f260e5ff0d3dafbf9bc2c4df099adc3ac5c98d50b6df4b1

    • SSDEEP

      6144:ARkz9/pOuAXNjskDoLHq/97BJBNcplFbs4NhulBngyAyLo59QeW:AK5ppmNjluHqVVxcFbsK8fnrS9Q

    • GlobeImposter

      GlobeImposter is a ransomware first seen in 2017.

    • Renames multiple (4434) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Renames multiple (8646) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks