Overview

overview

10

Static

static

3

2024-12-17...er.exe

windows7-x64

10

2024-12-17...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    17/12/2024, 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-17_ae7a5ed1b0195580348bdce731f22fec_globeimposter.exe

  • Size

    53KB

  • MD5

    ae7a5ed1b0195580348bdce731f22fec

  • SHA1

    5362c564b8a21c9ef554d9ba56b4e1cf8dc6f3f6

  • SHA256

    a2c7b8f2e8f560f309789ae882526973dcea5f0f693063b351179a14a20ef636

  • SHA512

    d792e6c57eb06397fc07198861aa2db028626bee1760b407d9f7dd5c13e50a48c68debf01859916defe3249a397259e35a756d56e6b680c87519971728259145

  • SSDEEP

    768:uTHLPvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5v5E9r:SeytM3alnawrRIwxVSHMweio3Z5i

Score
10/10
globeimposterdefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Music\Sample Music\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������7E 96 08 78 FB 3C 61 E2 6B 71 32 68 4D 27 57 28 95 3A 8B 32 CC 4A 3C C7 9C DE 5D FA B7 FC A8 27 0F C6 CB 73 AB 9F 12 EE 49 DF B0 93 9A 39 1F 8B 11 FC 26 1F 59 EE A6 DF 3C 41 19 FA A7 6A 87 5C A3 56 B1 45 16 B1 0B 89 2A 58 9F 8E BF B5 CF 4C A7 69 1E B5 96 2F 5E 79 AE AD 43 00 91 9B 48 91 59 2D 4C FC 53 F9 4A FF A5 C0 50 17 38 AE BD AD 19 F8 1B B8 0B D1 43 60 79 00 7E 48 47 61 22 85 EE 2A C0 54 57 F8 EA B3 6F CD 32 39 FB 4A 86 52 6D 5F EC 4A 1D 44 C5 69 A2 E7 C5 86 95 E8 8A BD 0C 00 35 DD E0 38 FF 5E F6 A0 82 48 AA 37 48 A6 DA 94 CE 93 ED BE 6F 6B D4 9D C1 2F 32 A0 53 CC 0D F2 E7 49 6A 2C BE 5D 66 FA 3B 64 FD 41 6E 50 4D B7 F3 40 1F AD E5 58 7D 1E D7 EC EE BA E6 C5 F7 AF 1A 18 BD 96 8E 67 37 A3 A7 C8 10 99 3D 15 91 6A 97 B5 E8 CA 48 86 1E 61 69 1B 55 2A 1D 21 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Renames multiple (7473) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-17_ae7a5ed1b0195580348bdce731f22fec_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-17_ae7a5ed1b0195580348bdce731f22fec_globeimposter.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2024-12-17_ae7a5ed1b0195580348bdce731f22fec_globeimposter.exe > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Music\Sample Music\how_to_back_files.html
    Filesize

    4KB

    MD5

    a411fb5d223aee41325f63c833e3acfd

    SHA1

    61b08853657fb74c251dfdb620ccecb149546785

    SHA256

    f7ac5dc0db90bfbeac01723ff75257dc1e01330c1d101919ee3c84e3d65d540c

    SHA512

    66778efbebd7657c5ba8c756e41d77d07cf372ba643783cc0537d9a413356e9a62f864058c276b1c1ce7bf9ed5c3731a918c999b23a63f247049742e696d9160

    Download Submit

  • memory/1784-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1784-1701-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download