Malware Analysis Report

2024-10-18 22:59

Sample ID 241014-g9zsjs1dqf
Target 2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter
SHA256 58f6b5a6fca911a751d3a30e796de0ea9612fca461404aa5eea6622be08a1aab
Tags
globeimposter defense_evasion discovery persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58f6b5a6fca911a751d3a30e796de0ea9612fca461404aa5eea6622be08a1aab

Threat Level: Known bad

The file 2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter was found to be: Known bad.

Malicious Activity Summary

globeimposter defense_evasion discovery persistence ransomware spyware stealer

GlobeImposter

Renames multiple (6063) files with added filename extension

Renames multiple (7315) files with added filename extension

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Indicator Removal: File Deletion

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 06:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 06:30

Reported

2024-10-14 06:33

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe"

Signatures

GlobeImposter

ransomware globeimposter

Renames multiple (6063) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef.pak C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.dub C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\id_get.svg C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\close.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_3qtr.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_thumbnailview_18.svg C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\39.jpg C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\23.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\LightGray.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\illustration-UploadToOD.svg C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\SphereGeometryShader.cso C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files\7-Zip\Lang\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\7px.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\KnownGameListRS3.bin C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\WideTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-150.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_EyeLookingUp.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1076-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\how_to_back_files.html

MD5 152d8c8fc97b77577fab5650f3ab8256
SHA1 6adde26a6ea37c93ee75414ce93845bbba39840d
SHA256 b91b9cafaa622e0d735613b4dd5c9bcf15d5b4d8bedb444984795022835e2bf8
SHA512 9ca8d7603918b205698c3874949638e598c219a2ebbb9d3d22223ff27a40e7dcbba1baeb576eab09de8719a998c670f2bb1688b7537af770f1c847b9fcde3680

memory/1076-2245-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 06:30

Reported

2024-10-14 06:33

Platform

win7-20240729-en

Max time kernel

38s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe"

Signatures

GlobeImposter

ransomware globeimposter

Renames multiple (7315) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe" C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01751_.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files (x86)\MSBuild\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286034.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_es.properties C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\720x480icongraphic.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\Common.fxh C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV.HXS C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\header.gif C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART10.BDR C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00097_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Dublin C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Beirut C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Menominee C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACC.CFG C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02958_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00426_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\ResumeConvertFrom.tif C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pl.txt C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01777_.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Stock Quotes.iqy C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH.HXS C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\how_to_back_files.html C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Monterrey C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe

"C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-10-14_71213eb9e5f168f41b83a7e603f6681d_globeimposter.exe > nul

Network

N/A

Files

memory/2524-0-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Public\Music\Sample Music\how_to_back_files.html

MD5 247f04790a9edb6aeb62e06d7b3a17b0
SHA1 0f77483bae95975e8e9fdacc368d63adad4719e1
SHA256 6c2f36f015b06f73fb2e44c53580fc1434888115629ab11d29df9904cddd88ad
SHA512 4c90463092f7bbd59d7fbb5f7f95d180c31c8af1c969f4b30cb20ee757e730d599a741216cb208f9ad67774cd22282669ff2569298ad10ba0a9f981e097c9663

memory/2524-2636-0x0000000000400000-0x000000000040E000-memory.dmp