Overview

overview

10

Static

static

3

2025-02-21...er.exe

windows7-x64

10

2025-02-21...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2025, 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-21_1b19c92ab8912c7180391cc5dc8c76ac_globeimposter.exe

  • Size

    53KB

  • MD5

    1b19c92ab8912c7180391cc5dc8c76ac

  • SHA1

    77417671b404d0f4d752e2678abe0360f75e38d1

  • SHA256

    98ebfb2fd5f3cd2ecfd55ee20c068fcfd8a65ffd19b7d49d08634de3ee998f50

  • SHA512

    136ef82e131e71b46ba9a5a5c9447fc63e251b88349629b8e556a476a7e401f616594d708db29cb08d030e8132c106c63107315c6c9dcf0752dc2b765dbf4bb8

  • SSDEEP

    768:1THXvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5vKo6:1eytM3alnawrRIwxVSHMweio3ZKv

Score
10/10
globeimposterdefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������81 73 77 60 AC 47 25 49 1B 07 D4 B3 87 C0 FA 5B 39 47 69 A7 F2 2B FA 06 60 8E 62 36 FA 84 88 8A 75 13 55 44 80 29 F8 86 8E D7 61 E8 38 6D 8F 13 91 BF B4 D1 3B 50 8A D1 B1 33 C4 A8 6B 42 72 90 E9 11 8D 9A DF 4C 21 AE E5 11 53 E2 42 EA A8 5C 9A 8C DD 5D 37 52 DF FF DD 22 51 12 3A C6 62 B8 99 BF DD 31 51 3A EF 39 83 39 55 F9 EF 9A 6A 14 5E 14 87 CF 53 FE 84 22 04 8E B2 FA FC E4 26 E2 20 6D F5 3F D1 A4 F2 28 68 67 61 95 8C 89 9D 52 9E 0F 74 C9 86 FB D6 D0 A5 29 73 9B DC E9 A8 C2 3C 98 4B C6 80 49 2E 0E 33 C3 F3 67 59 F1 8F 26 07 FD 8C F9 52 2D CE 91 65 F5 47 9B BB D0 D1 75 47 18 3D 6E 07 5D 1A 5E 71 12 17 42 A5 41 A1 01 91 4B 14 33 25 A8 09 5D 28 B3 2C 4C 35 0F E8 D8 BF DD A6 E2 30 E8 5C 1E 4F AF 50 A8 02 73 80 E3 5A 81 A1 0F D2 6F 50 DE CE AE 3D 2C 3C B9 83 32 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px"></span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Renames multiple (6063) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-21_1b19c92ab8912c7180391cc5dc8c76ac_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-21_1b19c92ab8912c7180391cc5dc8c76ac_globeimposter.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-02-21_1b19c92ab8912c7180391cc5dc8c76ac_globeimposter.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\how_to_back_files.html
    Filesize

    4KB

    MD5

    0afe4e687a2e7a06683bcf593acaf33e

    SHA1

    7335eb0a72706d03672248d8a212efe1cd89803d

    SHA256

    1bde411425a35ea69dcfdbe86e5671f3f771fa27db91a02926c99052e92aadb5

    SHA512

    f0409524a2b0b8bee8216cd1b7bfa58d2ca82328527b43b9ea5218a438814807f5fa7365a6d5c8fe23b07a273007c6e9d84aef68cdec2c105b0e102422e3e5b6

    Download Submit

  • memory/1536-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1536-1974-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download