Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/08/2024, 23:42

General

  • Target

    2024-08-09_d6d78dd3190e9b80975ed8e281bd4d60_globeimposter.exe

  • Size

    53KB

  • MD5

    d6d78dd3190e9b80975ed8e281bd4d60

  • SHA1

    96934ee9d9d8fe3b531331fe1fc578e66591304b

  • SHA256

    204999f72452d3245497aca2e878dde751eff81cf11ceb7d8d17cc6cf8dc03d4

  • SHA512

    c4e6b3846b3724f7728c971421bfe336b69737289126dcdcb255b0515eb56ec2735f3e47bb8e19743e0681552d6c3002ff266c683079c73c0aa54598e004177b

  • SSDEEP

    768:3Ovuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5ZoiJ:3keytM3alnawrRIwxVSHMweio3To

Malware Config

Extracted

Path

C:\Users\Public\Videos\How_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������77 D3 DA 7D 04 89 4A C7 93 6B 59 C4 83 79 8A 8A 1E 69 A3 E1 54 41 93 38 DB AB B8 0B FE 44 2C 9E B7 79 61 1B B6 2F 90 03 00 9B 2B 33 88 27 5C 89 E2 E8 8D FC 8E 1D A5 ED B1 47 B4 22 81 28 9F C5 BA 84 52 98 F0 BE 50 6B 4A 49 A9 06 20 E7 8C 48 16 08 D5 54 BC F1 71 06 C4 F4 1A 85 9B A1 F3 D6 8A 90 2C 95 A1 76 05 A8 59 03 B8 10 7A 0B 9E 5B 8F 49 D0 41 73 F1 66 68 74 F2 97 8C 80 F7 95 5E C1 B1 E7 D8 B0 6D 42 D0 EC 6A 48 EC 45 DE F8 45 C4 5E 44 9C C6 D6 E4 8F EB CD CA 94 74 C5 C5 FE 2F D5 AE 89 88 AE 26 8B 50 F8 4C 9F E6 7C 88 A0 26 1B 3B 65 B1 14 FC 19 E1 C9 F5 0B 44 01 7F 2A 59 61 6D D6 66 23 1A 2E BF DC DD 75 D1 D0 07 07 FD 00 F5 45 A1 65 75 1D BD D2 A2 47 0C FD CE 92 03 FB D0 82 2C 81 01 D5 F3 25 29 05 46 3E 8E D5 1D 0F 17 DF 35 F1 BF C9 D2 35 5A 28 E3 82 7B 10 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>�������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Renames multiple (6131) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 30 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-09_d6d78dd3190e9b80975ed8e281bd4d60_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-09_d6d78dd3190e9b80975ed8e281bd4d60_globeimposter.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-08-09_d6d78dd3190e9b80975ed8e281bd4d60_globeimposter.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini

    Filesize

    1KB

    MD5

    a1010dcf4fc79736f3afc30a1ddc645e

    SHA1

    4702f4030cc23267ab21c09aee2d0239294041c7

    SHA256

    b2bcc8cb800994ed5a9a6c14e414879209d052b7b48b05ed29ba7be02e57513b

    SHA512

    777976a2733a848b518e739cd5a577d5e1cc76abf22e9c99c00f332c4ce655f36d0d0c0507a3f85d65114eba47df960133cad0356ac51821f3f280d65349d904

  • C:\Users\Public\Videos\How_to_back_files.html

    Filesize

    4KB

    MD5

    b13650a57d8c11e15a8fc0552c85f62c

    SHA1

    cd6ea1d21d5c795e19cea5f8275ee79912970ced

    SHA256

    2dba200bf5ab5e9022fc145760d0f21eb8d4f51645375ae5de03819f14b4ccf4

    SHA512

    a929ce9bd0280c100287b8302bddb51eaeabb62f51e973f4d1afe610adb3400fbee383e2e2fa9be2ec4247740d214f80b463966d2382ba0e91db3a461d54d5c0

  • memory/2648-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2648-5640-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB