Overview

overview

10

Static

static

3

2025-02-13...er.exe

windows7-x64

10

2025-02-13...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2025 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-13_700edcce509ddcb71a31d1b3765004c2_globeimposter.exe

  • Size

    50KB

  • MD5

    700edcce509ddcb71a31d1b3765004c2

  • SHA1

    0a19d5d16d772853e0ae32d8ccf09454b51bbfc2

  • SHA256

    1ad20ff4f0ba0af89d3af59c4e9d6015df5b4ee90472f576a4dd578c5bff4c84

  • SHA512

    12558b1c47813b3049e99e80e0649b9aa7ab0eec8796f965969fb9b30d742e68e9b3915a8a209e3cc53e8a7ad1bee27e342115b4f3c89aa26f0025df2bbaf03f

  • SSDEEP

    768:fqAFvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5uF:zeytM3alnawrRIwxVSHMweio3

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (9046) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 30 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-13_700edcce509ddcb71a31d1b3765004c2_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-13_700edcce509ddcb71a31d1b3765004c2_globeimposter.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-02-13_700edcce509ddcb71a31d1b3765004c2_globeimposter.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1312
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTdFMjhFNDQtOUNCNC00QjFBLTgzRUMtQjhEMzRDQjNBREJGfSIgdXNlcmlkPSJ7MDBGOTQwN0MtRDVGMS00N0E0LTgxQTctQUVDQjFBQjY0NzY4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzUxNDhGMDMtRTI0Mi00N0Y0LTgwQTYtN0E5Q0MxOEUyNEZFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTIwOTkzMjU4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:1404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2656314083-4170277356-267438488-1000\desktop.ini
    Filesize

    1KB

    MD5

    d08a0ff79803ed7c503394ffd54fd4ea

    SHA1

    1990e3c98cd4332c6f533d334416472426d2209d

    SHA256

    379a79c716990336df9aabdd2f7780e02393b1b2c89c4d4d1912f5bf1879be00

    SHA512

    e17f6a1c301c97b40f52c2ab097b14e4292abe17432423840073f355d6d054fdb7c81b60d2747b95c79d45c9e2f15256daedd659c503ea3c008fb97565164dd3

    Download Submit

  • C:\Users\Public\Pictures\README.TXT
    Filesize

    1KB

    MD5

    d39fd2c336b2d6875d80410e2b2c32a9

    SHA1

    70eea85e9ad2ae17ba9e27f1b30489cd7f610c9f

    SHA256

    841bb3c26773dc2684c7e4c312ad5b7bae76072ad950e94d39ad915ae52fdf34

    SHA512

    afe4841211e79b8ae489e21be86b3b1740812696f9b0317063231dcee5a5f2e01e90f14c29cae4680034a72ba1d1747163678f61aff2d49d53ab132ad727a677

    Download Submit

  • memory/2368-0-0x0000000000400000-0x000000000040D400-memory.dmp

    Filesize

    53KB

    Download

  • memory/2368-2018-0x0000000000400000-0x000000000040D400-memory.dmp

    Filesize

    53KB

    Download