Overview

overview

10

Static

static

3

2024-12-17...er.exe

windows7-x64

10

2024-12-17...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-17_ae7a5ed1b0195580348bdce731f22fec_globeimposter.exe

  • Size

    53KB

  • MD5

    ae7a5ed1b0195580348bdce731f22fec

  • SHA1

    5362c564b8a21c9ef554d9ba56b4e1cf8dc6f3f6

  • SHA256

    a2c7b8f2e8f560f309789ae882526973dcea5f0f693063b351179a14a20ef636

  • SHA512

    d792e6c57eb06397fc07198861aa2db028626bee1760b407d9f7dd5c13e50a48c68debf01859916defe3249a397259e35a756d56e6b680c87519971728259145

  • SSDEEP

    768:uTHLPvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5v5E9r:SeytM3alnawrRIwxVSHMweio3Z5i

Score
10/10
globeimposterdefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������88 F0 D4 12 10 CF F0 15 84 1C 1A 33 E1 75 58 19 8B 3C 51 2E 6F 4B 6D 6C 63 EA 78 43 88 8E 12 10 F1 B2 4B 69 09 7D 1B B2 10 45 D6 63 DF 28 85 1C A8 84 FD 79 50 78 4E 04 35 C0 17 F6 E7 81 DF B4 9B 67 01 A0 5D E1 DA A3 25 9C 3B 8F 4B 1D 98 27 65 10 74 11 23 78 72 09 9D 1F 16 12 CD 3F 3C 21 E7 7E EB EA 71 4A 0F D9 5B 3A DF E2 B8 0F 1F 8F 68 AC 3E FD BC 85 A2 8A D5 95 04 2C 3A 6F 9D 45 55 02 02 D8 11 4B 4C B0 A7 7F 14 3C 8C 05 05 86 36 6F 2B 88 EC A3 BE D8 78 57 77 39 CD C0 74 9E 50 05 C3 CC 8A C0 13 C7 28 73 FD 66 4B FB 5C 40 36 FA 67 B2 AC 81 75 91 AA 54 2F B6 EE 3A 10 CA 5A 3D 28 63 78 C0 E4 B6 5C 56 AA D0 7F 33 D8 95 D6 A5 06 E7 25 73 8A 60 5B FB A9 74 F4 7D 7A 3B 34 62 55 56 37 B8 D0 33 7F 3E 8F A3 3C 6D 36 D9 84 8F DC 41 BB 28 8C 96 75 40 DD 49 4F 8F 5C 7C </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Renames multiple (6107) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-17_ae7a5ed1b0195580348bdce731f22fec_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-17_ae7a5ed1b0195580348bdce731f22fec_globeimposter.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-12-17_ae7a5ed1b0195580348bdce731f22fec_globeimposter.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\how_to_back_files.html
    Filesize

    4KB

    MD5

    cbab9386242ecf1eeec06cce76808859

    SHA1

    065e706c51237ac8b6f05b09705228a424c8d9f1

    SHA256

    41e17baf0b7aa0c64aed2e06816509e199ac062111048dd4b7a51c21ef431176

    SHA512

    764a084fa1f69e7dac7a27348d3ad82fc2242b51529543ff51fd8c8254acb3d85bb5b7f3f828e9d975f3ed8e3a4eab9b33cd71e128b36fa61e9258d929631124

    Download Submit

  • memory/972-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/972-1859-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download