Overview

overview

10

Static

static

3

2025-01-22...er.exe

windows7-x64

10

2025-01-22...er.exe

windows10-2004-x64

10

Resubmissions

22-01-2025 17:27

250122-v1trtsxjbz 10

22-01-2025 15:28

250122-swt6paspet 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2025 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe

  • Size

    55KB

  • MD5

    1748fc9c3457f6102469044a18a67095

  • SHA1

    ff7a2abf8f53c2cac4d2d7d8c70b1784362414bb

  • SHA256

    aec151ab1896489a13e03e2897d3facc8678ffdbd53bd08a01a2d3837f792adc

  • SHA512

    3b2baccde64139657ba2cfcb17398078956b8302f32347ff344861ade61f26496e61a8f913df02ce56d7628ee58381b695fd58f92500cd0f9d0c00a9bd6d3463

  • SSDEEP

    1536:3ibgutzZi79QlgTHf4tq6KhxXwr3+mG3Kk:3itz479QlOWWXKNGak

Score
10/10
globeimposterdefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 5px; color: #FF0000; background: #303030; } .letter { color: #DC143C; font-weight: 600 } .tabs1 .identi { margin-left: 0px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top:0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>2B EE 89 C8 27 38 0C F8 D9 C6 0F C2 96 12 78 7E 4E EE D3 0F BF 47 41 2E DB 29 03 F8 68 CA C2 61 28 E1 2F EB 47 ED 87 08 E3 14 88 F4 81 B7 D5 25 24 76 B0 EC 2D EC AA 52 AA 2F D3 3E FB 5B 40 84 D8 5F 32 39 5E E3 7B 19 CD E6 35 D7 17 74 26 EE 11 AD 47 63 DE 3F 87 6E AF E4 E4 62 6D 70 64 2D CD AF B6 1A 22 8B 09 64 4E C0 EA 1C 02 A2 26 40 58 37 42 BD 02 9C 9F C4 73 C9 FD F1 D7 28 65 77 AB E9 04 75 62 A3 52 D6 38 D3 B8 D0 A8 82 83 C2 F8 BA 74 23 43 59 C1 59 A4 EA D0 4F 90 B5 9C C1 92 BB 24 E5 49 7E A1 8C FF B6 1E 58 8A F9 7D 8E 2B BB 1C 3C AD 8B 76 73 F8 81 1F FC 41 C0 F0 FC 4B 13 3F 24 A6 94 41 DD CF A7 71 A9 EE FD 6F D1 FF 68 2D 08 C2 0D B9 A5 DC B9 64 51 2C 31 51 A3 DC 55 F6 0C 25 C1 61 B9 49 43 27 D7 5A 18 16 DD 19 82 14 5C C8 8D 93 82 2F 78 9B 03 96 0B D1 24 </p> </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9763; Your files are encrypted! &#9763;</h1> <hr/> <h3> To decrypt, follow the instructions below. </h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span></br> (Or alternate mail <span class="letter"> [email protected]</span>)<p> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <hr color=red> <center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center> <center><p style="color:#FF0000"> You can not decrypt your files cheaper than we offer you. You can refer to other services that promise to decrypt you, BUT IT WILL BE MORE EXPENSIVE. No one, except [email protected], will decrypt your files with a guarantee 100%. </p></center> <hr color=red> <ul> <li>Only [email protected] can with a guarantee decrypt your files </li> <li>Do not trust anyone besides [email protected]</li> <li>Antivirus programs can delete this document and you can not contact us later.</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Renames multiple (9130) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Clears Network RDP Connection History and Configurations 1 TTPs 2 IoCs

    Remove evidence of malicious network connections to clean up operations traces.

    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 30 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmpB2CC.tmp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
        3⤵
        • Clears Network RDP Connection History and Configurations
        • System Location Discovery: System Language Discovery
        PID:4952
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
        3⤵
        • Clears Network RDP Connection History and Configurations
        • System Location Discovery: System Language Discovery
        PID:696
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5088
      • C:\Windows\SysWOW64\attrib.exe
        attrib Default.rdp -s -h
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1340
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-01-22_1748fc9c3457f6102469044a18a67095_globeimposter.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Indicator Removal

2
T1070

Clear Network Connection History and Configurations

1
T1070.007

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini
    Filesize

    1KB

    MD5

    b13f0d2848317837bd2cc0dba6b6fadd

    SHA1

    c3824b2eb6a785a0fd33d9426577b77723ccd5ae

    SHA256

    f268bb6c323bd239d51d5f2c9f653278ae99c597de92ef4805c4e95b7632f045

    SHA512

    895622dadbd5318a682c5e5966945f081eafb8203319a44660434778b9a92740aeeaed4123f1306f22973c5c76cc1334a55c5156a30106b2487fe417619dd2f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB2CC.tmp.bat
    Filesize

    445B

    MD5

    32d8f7a3d0c796cee45f64b63c1cca38

    SHA1

    d58466430a2bba8641bd92c880557379e25b140c

    SHA256

    1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

    SHA512

    288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

    Download Submit

  • C:\Users\Public\Videos\how_to_back_files.html
    Filesize

    5KB

    MD5

    71c24cc0c563912628f9af485b26fb78

    SHA1

    6beeaa9de9d3b1b7bae3de8234ab18a80e10dd2b

    SHA256

    7eb8efbe489493dae510d13f4d6a626499eb3301406d5dd440dd0ae6395652b4

    SHA512

    cc19a9bfd3c77f9d2f009ec0774680d33b10bea24704b1b9f576a6640d1992e7c48d087096e34e77e7271f04c984ad10aa05f58270c76c43603bb5654cc70b30

    Download Submit