Overview

overview

10

Static

static

3

2025-01-24...er.exe

windows7-x64

10

2025-01-24...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-01-2025 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-24_1ed24af8523f92a06bbb53405709a2d8_globeimposter.exe

  • Size

    53KB

  • MD5

    1ed24af8523f92a06bbb53405709a2d8

  • SHA1

    ee1d93efc1e2f8d7e4846f9e5880dbb987702a57

  • SHA256

    578f95ed736938c95f45db89904f7292fca9519b2f0e2ed6b3200848ca737932

  • SHA512

    054966e0cff1a3dc37160c3d35076ab6c3759f618ce71e369726002d18deae86824e7cf48fe97b9dc38a9f887b339c97b42d760d2eb77cb760b7bae744beba52

  • SSDEEP

    1536:kPKs+Na3IGeKJolntwr7DSTWvTwhQ8YioW:kPKs+Na3IrKJolntGDT5Xt

Score
10/10
globeimposterdefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note
<html> <head> <meta charset="utf-8"> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">Attention! All your files are encrypted.</div> <div class="note alert"> <ul><li>Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the original key recovery is impossible! To decrypt your files you need to buy the special software - "AOKI DECRYPTOR" Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.</li> <li>If you want to restore files, write us to the e-mail: [email protected] In subject line write "encryption" and attach your personal ID in body of your message also attach to email 3 crypted files. (files have to be less than 10 MB)</li> <li>It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.</li> </ul> </div> <div class="note private"> <div class="title">Your personal ID</div> <pre>����3C 61 EC E6 41 FE F6 57 12 2C 2E 45 89 31 04 8E E4 35 BE 63 3C A1 92 61 02 AA 4F 5F 5F 93 BD 0E C5 E7 0E 17 D0 3C C4 50 87 EB D5 F5 6E BB 91 52 DE ED 6A 72 6D 53 C2 3A 54 25 F0 94 93 02 41 4E 9C A4 04 C1 03 42 07 32 6D 64 DC C9 D1 54 34 52 59 7E C2 B5 FC 99 28 E3 49 49 93 6B BB 49 F4 54 D1 AA 69 B8 2A 64 8C D2 C0 C8 71 1B 84 D0 58 33 74 E9 42 12 7F E9 17 E8 BB 69 BE B9 83 A9 C6 2A 81 CA E0 54 7C AA C8 16 57 72 6D A1 0A 25 2D 19 B7 8E 48 4E 6E B4 83 0F 57 6A 16 8E 23 1D 93 86 65 E2 F9 CB AB 73 8A 74 28 B7 54 DE 29 01 4D 7D 1F 41 FA 0F 45 AB C4 B5 1C E2 19 CA 28 FB 53 03 BF 68 EB F8 0A 10 11 E1 D2 32 84 38 FC 90 43 6F C9 3C F8 16 1F 3E E1 44 F7 8D F3 00 0F 88 24 AD 0B FE 99 20 AE 62 F7 7A 73 4C B1 23 4A E9 CD 3B AC 22 D3 C1 9A 81 8A 5F 14 FF C1 F1 BA 3C 58 57 </pre> </div> </body> </html>��������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Renames multiple (8654) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 38 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-24_1ed24af8523f92a06bbb53405709a2d8_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-24_1ed24af8523f92a06bbb53405709a2d8_globeimposter.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-01-24_1ed24af8523f92a06bbb53405709a2d8_globeimposter.exe > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini
    Filesize

    1KB

    MD5

    265643775ce8303986dd90be0757e8ef

    SHA1

    f82597d9748fbbc1ccfa44a8dba4040510c7ec07

    SHA256

    64545fff71c1a2c87004721357f2639d16ed5b095737ecfdec5acf747d4ce8a6

    SHA512

    dfc98612da30bd4b122b5eca0d48dda6be769172797ec8be7eb0905eabcb6d8ad11554c64f73ecb7fdbc3561edab20da8998ab13f21c4115627f8f56441e3b7e

    Download Submit

  • C:\Users\Public\Videos\how_to_back_files.html
    Filesize

    3KB

    MD5

    1a2224b9ba50c67d32b99cad6ff3216a

    SHA1

    c75d1d1dc11ff443cb95f7711ab8a693b17cf666

    SHA256

    6778bc5fb9588ef9324bc774e5ed757637349ca354c8a08d0610e701a517367e

    SHA512

    fb5cdc373d65beab77248100ec5ad74d78fabad56dadef644e6a116f3cd7dcc3dc7641cb2840856bd12c667f6e837de7a16281c0bb86613d4991180befd3b20c

    Download Submit

  • memory/604-0-0x0000000000400000-0x000000000040E400-memory.dmp

    Filesize

    57KB

    Download

  • memory/604-756-0x0000000000400000-0x000000000040E400-memory.dmp

    Filesize

    57KB

    Download