Analysis

  • max time kernel
    1479s
  • max time network
    1451s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2023 13:06

General

  • Target

    36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe

  • Size

    454KB

  • MD5

    2c72015e22b53c215403979536bce826

  • SHA1

    39eb8e3c2cef23d1c7a3f5c3133f40ecc98c1cf1

  • SHA256

    36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd

  • SHA512

    0d2e590b0c32de661ab94c0f7a0eccbbc2bac637120b0148e04b05a826ca5858e6d147e0011bd5094f260e5ff0d3dafbf9bc2c4df099adc3ac5c98d50b6df4b1

  • SSDEEP

    6144:ARkz9/pOuAXNjskDoLHq/97BJBNcplFbs4NhulBngyAyLo59QeW:AK5ppmNjluHqVVxcFbsK8fnrS9Q

Malware Config

Extracted

Path

C:\Users\Public\Videos\read-me.txt

Family

globeimposter

Ransom Note
All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ���62 32 DE E4 66 74 57 30 A0 DB F2 F6 3F 8A 2E 9B C8 A4 A0 F1 40 63 35 C4 24 13 D9 92 1D 5A 96 E3 D8 16 EF 46 F1 B3 82 41 83 83 18 5B 4C 58 95 C0 11 DC 06 96 E4 08 41 0C 29 E0 E7 C6 7B 2E BD DE FA 4B F1 9F 78 2E E3 B7 45 3E 1E 48 16 3F C0 C6 3A 3F 27 E0 CC 3B 82 85 1F 7F 28 2F 60 FF F9 16 CB 68 7F 5B 49 EC 2C 1B D7 CD 1D 90 53 00 1E C4 92 0F 32 E4 73 56 BF 4B 97 51 1D 46 95 A6 DC 59 4E 19 4A 68 9E 05 BC E5 21 E5 5C 7C 50 38 B4 7F 32 8C 1B 8F 4C 12 F2 CF 3F 5E FA D0 17 95 84 AE 33 E7 5A 8F 03 4B 27 11 F0 5D 58 A5 66 64 7F 71 34 92 71 E0 46 A4 40 E0 38 94 49 5C 30 80 6D 2C 83 AB DC AC 7C 6E 3A 70 5F 64 2A 8C E2 92 2A 12 34 8A BC 8E BB 1C 61 36 AA E2 D9 BD CB 25 6B 25 93 38 2C 36 4D 52 71 F7 97 CB 6E 76 26 EA B8 39 F6 AA D4 6E 76 69 47 CE 8E 8B BC 91 64 43 53 64
URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Renames multiple (8646) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 30 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe
    "C:\Users\Admin\AppData\Local\Temp\36035b1a4995acb201c2b2160000d4477a31a2222c3f6bdc25a32d53d930bcfd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
      2⤵
        PID:1844
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
        2⤵
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Drops file in Program Files directory
        • Suspicious behavior: RenamesItself
        • Suspicious use of WriteProcessMemory
        PID:3908
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c del C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe > nul
          3⤵
            PID:2320

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1980726966-773384374-2129981223-1000\desktop.ini

        Filesize

        1KB

        MD5

        274ed38049352bb6a9c1ec32409f91f9

        SHA1

        b908f7ef836d99a1e85239e1fcd27a75c19798b7

        SHA256

        1e7571b37b506089a7d9b57c769a169452331a53b3a594a11113536c1b65aec2

        SHA512

        9c4e5e0ebe4e7e5742cb93685cab3ea56bada876cbd988e01fb4fb641a508913e5d54c0a2e1930cc52f6aef6da275fc123360ae0a4d35c34821acd762abc5a74

      • C:\Users\Public\Videos\read-me.txt

        Filesize

        1KB

        MD5

        2a758e641033b1161b7a062d76a85e6f

        SHA1

        85e365504123b20ae9f54c47fd3d747221ff119a

        SHA256

        0551bf52dba99657446cc74bd2d5a8be7f827e90678a8a4812e6f02e4c0076ab

        SHA512

        7645105297ee62374d2db3f12d077cc7d9ca85127d819c53dece843554532bede5e4ad87a3549f4d02b437bd222b2a6075df49f913fef7000e387c0d8f59d01c

      • memory/1476-0-0x0000000074860000-0x0000000075010000-memory.dmp

        Filesize

        7.7MB

      • memory/1476-1-0x0000000000A50000-0x0000000000AC8000-memory.dmp

        Filesize

        480KB

      • memory/1476-2-0x00000000054A0000-0x000000000553C000-memory.dmp

        Filesize

        624KB

      • memory/1476-3-0x0000000005460000-0x0000000005470000-memory.dmp

        Filesize

        64KB

      • memory/1476-105-0x0000000074860000-0x0000000075010000-memory.dmp

        Filesize

        7.7MB

      • memory/3908-4-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB

      • memory/3908-6-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB

      • memory/3908-9-0x0000000000400000-0x000000000040F000-memory.dmp

        Filesize

        60KB