Overview

overview

10

Static

static

3

2024-09-26...er.exe

windows7-x64

10

2024-09-26...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 22:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-26_d592e416150808195a0b5c07aa25b5de_globeimposter.exe

  • Size

    53KB

  • MD5

    d592e416150808195a0b5c07aa25b5de

  • SHA1

    a487c932566fc83186e2e9a2a8b68c8c58eb8f37

  • SHA256

    4fc81a7195cebac7c8a6f0913e76ddc6d71b8df7e0f249b452c3bad561f71d50

  • SHA512

    1adc116d6a05720c78c8083e804b4ef72eda6691a1c35d25326c28a73e6047ceaa49ee168dc3e7ff1130a814f18dbe5803589f4d4c0a276cfe2c7183a1637563

  • SSDEEP

    768:uTHdvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5v5E9r:EeytM3alnawrRIwxVSHMweio3Z5i

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������28 8E 51 B9 7D 63 F6 A3 06 DC CE E1 3C 4F 06 E9 C4 87 64 A0 9A 97 95 FC 80 97 AA F3 1B 41 47 E3 29 F7 99 93 96 A1 51 94 91 CD AD 7F 64 59 B2 E3 48 9A 90 56 5D 97 D1 46 7B 67 B5 8C D9 DE E3 E0 A9 8F 80 E2 C0 15 82 B9 83 E6 2F CD 5F D4 C2 4D 88 7A EB 86 50 BD 66 62 C1 8B 49 87 80 06 69 72 CD 12 F2 E2 BD 3F FC 03 37 2A 78 2A 55 2C 63 43 FF EA 9B 1D 4E 78 71 3E 07 E5 98 BD 60 6C 09 BA 8B CD 8E 5A 47 66 2F AB 5B 81 29 31 75 C6 BD 8D 23 DC D5 62 DC 70 4F E2 C0 FD 6E 31 AD AF 8D 86 A9 10 4A F8 CA 21 3E DE DF 1E 50 B0 4E 46 04 AC 8D DC EB 77 C1 AC BE 73 8C D5 12 9A 23 65 6C 13 2A A1 C8 B7 99 29 C9 41 44 91 4D 02 D1 1D FF 8C EF 8F 00 A9 83 08 C5 5E 06 CA E3 D2 16 B3 E7 40 87 CF 04 03 8D EE 94 E7 E5 CB 5C 9D EE CE ED 42 80 33 92 AF 94 CF 37 59 D6 5B A6 FC 14 4F 50 24 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>������

Signatures

  • Renames multiple (6089) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-26_d592e416150808195a0b5c07aa25b5de_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-26_d592e416150808195a0b5c07aa25b5de_globeimposter.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-09-26_d592e416150808195a0b5c07aa25b5de_globeimposter.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\how_to_back_files.html
    Filesize

    4KB

    MD5

    86680fef32d21363a8a2580c0e3d4f39

    SHA1

    7ab4ccd66425bb4c9f5296961bb04a2774a09810

    SHA256

    f33e95716726cba8b439a119d5bb99549e538cfcded1ec7f5beae0003029028d

    SHA512

    a37cec208dece56240d2e32724a2e569a6457f66ba9a02dd9809594bf50c3bd10b56bbe7ae7485980ad9ce92af7b1d171ab763d03e129f8d659d08503bc26355

    Download Submit

  • memory/4708-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4708-2210-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download