Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-09-2024 03:34

General

  • Target

    2024-09-27_5709e6e2c04703a779bef68714cd5305_globeimposter.exe

  • Size

    53KB

  • MD5

    5709e6e2c04703a779bef68714cd5305

  • SHA1

    cb6999e0d01f205fb58f21acd625d11dd986f8cd

  • SHA256

    32bf1d17adf782b65621c1ec19414dbdd65c94996ab6a133c69a259ec327b7c4

  • SHA512

    72a8892aae280cae6a509af96c146e62c53258e505d47a0b6e34620a334478a381b01bdf3704e83e1746fe4b176fc017ec694e5bc0c91587b4fd9f8d3b05321c

  • SSDEEP

    1536:3oQeytM3alnawrRIwxVSHMweio3m3EvI:4Qey23alnaEIN/Wm3G

Malware Config

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Renames multiple (8645) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 38 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-27_5709e6e2c04703a779bef68714cd5305_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-27_5709e6e2c04703a779bef68714cd5305_globeimposter.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-09-27_5709e6e2c04703a779bef68714cd5305_globeimposter.exe > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2320

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini

    Filesize

    1KB

    MD5

    2a884bcd2c6e1804c32653b0247d120d

    SHA1

    f31f46657eeb321b6f560abd04fc21fa9394e666

    SHA256

    0bcb96364cb6af7ac91032771b868224a4f0184417a6a1f8e9d514513f4d59b0

    SHA512

    8353d6b48c4c327ce51439869acb423f7429ef59d4dc31f179e1f5d247633d659ae09f75bd2abde01fcf2f6874bf3f039c063a0d85e009184b669f7d07c27681

  • C:\Users\Public\Videos\HowToBackFiles.html

    Filesize

    4KB

    MD5

    9c53d4577d32e424fec35e153f52e2ce

    SHA1

    103db02c318ae13269ea8452a8eba5bb5572f937

    SHA256

    b65f8c55dea9ed8e17cfd0370b3bb00c4c7493342ebcc31a0d8abdc7bb927c7d

    SHA512

    cab6f8375c92496ea57d3c732e85a3670b4c37319ac964b98f86684193d35e6116ad5c058ae47d9167429c9b8b39ea935faddfdb1117d1a0a7f81950d0b0f39a

  • memory/1868-0-0x0000000000400000-0x000000000040E200-memory.dmp

    Filesize

    56KB

  • memory/1868-1574-0x0000000000400000-0x000000000040E200-memory.dmp

    Filesize

    56KB