Overview

overview

10

Static

static

3

2025-01-22...er.exe

windows7-x64

10

2025-01-22...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe

  • Size

    55KB

  • MD5

    1748fc9c3457f6102469044a18a67095

  • SHA1

    ff7a2abf8f53c2cac4d2d7d8c70b1784362414bb

  • SHA256

    aec151ab1896489a13e03e2897d3facc8678ffdbd53bd08a01a2d3837f792adc

  • SHA512

    3b2baccde64139657ba2cfcb17398078956b8302f32347ff344861ade61f26496e61a8f913df02ce56d7628ee58381b695fd58f92500cd0f9d0c00a9bd6d3463

  • SSDEEP

    1536:3ibgutzZi79QlgTHf4tq6KhxXwr3+mG3Kk:3itz479QlOWWXKNGak

Score
10/10
globeimposterdefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 5px; color: #FF0000; background: #303030; } .letter { color: #DC143C; font-weight: 600 } .tabs1 .identi { margin-left: 0px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top:0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>59 5A 51 CE 76 7B E7 86 AD E7 AF D5 FB 05 50 0E E9 71 86 89 42 78 8D 44 5C 1B 47 FA 41 9E 55 91 CC A2 8F 5E D7 85 15 ED E8 94 8A A1 72 C1 74 2E AE AE B0 6D F6 FF 95 7D DA 00 3A DF D2 2D 43 D9 49 52 5A 40 A5 2D F8 2F 02 4A 88 A7 6F 09 E3 16 08 23 AA 89 0B C2 44 48 3E 20 33 9C 4F C4 4A C1 8B 81 D9 17 1C C2 D8 18 62 A3 48 B8 15 04 13 E1 DE 92 11 39 1B B5 FA 73 89 32 61 D4 AD 37 82 68 31 AD C1 64 C5 16 AC 2C D9 98 25 86 70 61 70 AD 7B 59 88 C3 39 E4 5C 88 A7 45 3A BF 1F FD C5 8E 39 CD 2B DF 96 E3 37 C3 FD 35 5F 58 D4 88 CB 1F F1 57 88 B7 72 1E 2F 13 45 F1 FF B9 2F A1 EE 56 4D F3 1D 14 9B 15 4D 6B 10 92 78 4B 9D 7B 73 BE 37 0F 47 5A 04 EF F2 D0 A4 07 2A 40 81 97 16 AD BC FE FA 39 35 0B CF 6D B2 A8 20 8A 7D 76 A0 7A F7 A5 E4 93 55 42 F2 A8 C6 49 A7 EC 0C 74 0E 86 </p> </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9763; Your files are encrypted! &#9763;</h1> <hr/> <h3> To decrypt, follow the instructions below. </h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span></br> (Or alternate mail <span class="letter"> [email protected]</span>)<p> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <hr color=red> <center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center> <center><p style="color:#FF0000"> You can not decrypt your files cheaper than we offer you. You can refer to other services that promise to decrypt you, BUT IT WILL BE MORE EXPENSIVE. No one, except [email protected], will decrypt your files with a guarantee 100%. </p></center> <hr color=red> <ul> <li>Only [email protected] can with a guarantee decrypt your files </li> <li>Do not trust anyone besides [email protected]</li> <li>Antivirus programs can delete this document and you can not contact us later.</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Renames multiple (9108) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Clears Network RDP Connection History and Configurations 1 TTPs 2 IoCs

    Remove evidence of malicious network connections to clean up operations traces.

    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 30 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp8BEA.tmp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
        3⤵
        • Clears Network RDP Connection History and Configurations
        • System Location Discovery: System Language Discovery
        PID:4828
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
        3⤵
        • Clears Network RDP Connection History and Configurations
        • System Location Discovery: System Language Discovery
        PID:2268
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1164
      • C:\Windows\SysWOW64\attrib.exe
        attrib Default.rdp -s -h
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1148
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Indicator Removal

2
T1070

Clear Network Connection History and Configurations

1
T1070.007

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini
    Filesize

    1KB

    MD5

    f85dbc21d1dccd1c0d5aff105ef53280

    SHA1

    5a24a420c3b5f0de2c0eab9f7e68f5c4958f040d

    SHA256

    ba05bd75e8d7aa3c0aca4e2e0dcf0bb3155dc7d3bcf0655a4be819658d849d35

    SHA512

    f9572f15d0e20b883b61d833a20d375cbf6742630b01b8215d077f8dc059ed05a0baae94f4435cb09a9f0da856d52a86890f564fe5fd965b5b9243c224d38e0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp8BEA.tmp.bat
    Filesize

    445B

    MD5

    32d8f7a3d0c796cee45f64b63c1cca38

    SHA1

    d58466430a2bba8641bd92c880557379e25b140c

    SHA256

    1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

    SHA512

    288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

    Download Submit

  • C:\Users\Public\Videos\how_to_back_files.html
    Filesize

    5KB

    MD5

    b9b30f7b7136c1e18d7ef197b1ed4e27

    SHA1

    50959d3aedc48feffb74b36b324537877a4e7f32

    SHA256

    ce4d72a31d830a702cb5b283400d07bade3f72d7a9abe7e90ba5d8b2cd95c629

    SHA512

    e72262dc4fa1a1fe5d33cb8a761c9ffd719ace359bd92a4125f841e0a50efd169e6a7218e52b091d7c02a779164ec77c8c75c1a47163771938145973f817f345

    Download Submit