globeimposter | ef99a1844cbf354868a70cdcc2584ec94ffceafc4ffcd3a6b5563fa1d632844e

Analysis

max time kernel
185s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe
Size

53KB
MD5

13bfc9705ee633aec38f4ccffdca471c
SHA1

bfa8395e872262b95bb218b9834edd90ab2cff5e
SHA256

48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420
SHA512

c900e5dd21c35c2ff875b3d209bff0da0d52468d48dc17324401f5646bf7bdcbeec460085e8abad222dfb30bd85e2c3d214dce80e2de567cb6ddee217999be6e
SSDEEP

768:1xPUSvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5NID:1lHeytM3alnawrRIwxVSHMweio3jI

Score

10^/10

globeimposter persistence ransomware

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe"	48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe

Drops desktop.ini file(s) 10 IoCs

Processes:

48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-635608581-3370340891-292606865-1000\desktop.ini	48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe
File opened for modification	C:\Users\Public\desktop.ini	48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe

C:\Users\Admin\AppData\Local\Temp\48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe
"C:\Users\Admin\AppData\Local\Temp\48493bb68bc1062b11cc505e444db288ec6cba0c979d10a9b5a3ea775daf9420.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Videos\Read_For_Restore_File.html
Filesize
4KB

MD5
47661d645d751793b4c7c4d9a552f71e

SHA1
13ca89a2d4618511f386cb07e5731a936eb8ab32

SHA256
da3103678faccd33edd1e9b9506d43502e7666d16f113ed5b2b7c2d6f1e850aa

SHA512
f94041f6ae12d3d4aec5d5e749168e164a3d197d21b3574f2882ed01052e77ef6586d145e6c924ee44815c0c203c48b4c654a1f81077324c9d586c10ae3653b5

Download Submit
memory/4916-0-0x0000000000400000-0x000000000040E200-memory.dmp

Filesize
56KB

Download
memory/4916-3-0x0000000000400000-0x000000000040E200-memory.dmp

Filesize
56KB

Download