Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 13:30

General

  • Target

    2024-10-28_181f176a3977c2bddf27bb334e33b789_globeimposter.exe

  • Size

    53KB

  • MD5

    181f176a3977c2bddf27bb334e33b789

  • SHA1

    733080a58442d2c9fc8477058808e2a5856351fd

  • SHA256

    2f2932e0116bbff9d831b178a67208584fb42522075464fcdb4afd417e323909

  • SHA512

    5b09fc0233551a7173828f929b8a740a7769e1794912466f235b7e824d94c2ccf2d11de689075bfd58760897f01fbbbb7ab38b0941f9bcaf084633ccb07bf294

  • SSDEEP

    768:VTHOvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5vIb:qeytM3alnawrRIwxVSHMweio3ZIb

Malware Config

Extracted

Path

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������0E 1A C4 47 A0 81 C8 48 01 5F FF 3A D4 B0 93 F2 89 FF 72 0D 8D 4E E0 9C 0A 6D C5 8C 86 6F 1C 13 A7 75 58 2C A7 F3 BA DC F1 67 A9 BE 7B A7 AA D3 5E 01 7D 62 B5 77 0C 39 F6 BE 5A 48 24 AE 44 9B A1 6B 8A 57 5B 95 AA 50 12 0B 0A 4C 0D 36 19 FE 24 61 E3 4C 61 F2 87 A6 6F E0 DD 08 A6 4C D3 F1 C4 9E 0D 99 FC A4 EF 43 93 A4 B6 0D DD 65 01 D1 69 BA B5 3F 4E F5 9B 44 EF AB 06 9E 26 21 BC 61 EC BD 7F 0E 44 26 2A F2 33 E2 AF 39 B0 59 C1 C4 61 CB BF 6D D5 A5 56 A7 F0 15 5E 53 7F A1 01 79 C3 BC 2B 49 24 9A A7 C2 99 E9 A6 39 37 FA 20 47 20 89 59 81 D6 76 A8 12 40 90 76 5B FA C6 D8 F0 E3 45 CF 50 E4 72 ED CE 46 87 85 86 9D A1 86 E8 7C 5D A2 BC 00 E0 85 D3 81 96 E4 C4 01 8A BB B9 F5 C9 B6 26 DB 0B 0A 81 AA E5 43 9B 88 21 3A 18 9C 44 C6 31 33 B7 9E A1 4F 42 FA D7 8F B9 B1 3F </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px"></span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

  • Globeimposter family
  • Renames multiple (6079) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-28_181f176a3977c2bddf27bb334e33b789_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-28_181f176a3977c2bddf27bb334e33b789_globeimposter.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-10-28_181f176a3977c2bddf27bb334e33b789_globeimposter.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\how_to_back_files.html

    Filesize

    4KB

    MD5

    14952025ad8949ad6a75c1397368518b

    SHA1

    39e1bc6f2b11571dd3ea39440b588815ae1c8cd0

    SHA256

    84cd09395608eba5504fdf8cda377e8c954d2554af86db4f4ee6ea6e70b204ff

    SHA512

    3d6739398f3fb57d606c8a9bb5ae461179af306097a1c1a601017b3fd556a8bb8a0555d958617f5b6c62ff7951dbb33c1c3d642d9b4ea360d9e2277491f2e243

  • memory/5108-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/5108-1689-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB