Overview

overview

10

Static

static

3

d9135507e8...93.exe

windows7-x64

10

d9135507e8...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2025, 19:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe

  • Size

    53KB

  • MD5

    22ff4b883468f0b2b21b2c50d5ca5bd9

  • SHA1

    e34f09cf8f1416ab4611a6a18ff99281fad93c70

  • SHA256

    d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893

  • SHA512

    9b37dff34d3ceca993bebda8e6d3f4f4a361af65ec6bdde4be54021be2dc48c176aa0b0ef2bae8433ca2957d5e3c28fe448465c3f816a5ee36a5d395bd8f4405

  • SSDEEP

    1536:oWOeytM3alnawrRIwxVSHMweio36l990:oWOey23alnaEIN/W6lA

Score
10/10
globeimposterdefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������34 8D 24 59 A8 F7 E2 6A A8 8F 08 5E 8D 89 18 FE 25 3A 07 35 7B C1 25 D1 74 64 05 FF 47 36 FF F0 F5 83 66 EC 57 BA F1 32 27 1A 21 7C C0 2E AB 11 DE 03 EE 2C CF 99 55 11 A7 44 65 F9 02 91 39 D2 F0 82 AB 04 1E B0 20 B4 FC E4 8B C2 A2 D5 DA 98 E5 6A A0 62 13 F3 E1 24 EE FB D8 ED 23 DC 60 30 09 B6 92 8A DD 79 EC 21 6E 14 62 DC 7A 22 22 EA 9D 23 CE 17 8F 23 75 75 70 76 AA B4 56 D6 DC 15 E3 59 8A 43 3B 37 27 D5 56 C8 FD CC B6 4E 16 AC D7 A0 F0 40 99 5D B1 72 76 CE 4C 86 29 C5 46 F5 77 77 0E 87 58 03 EF 2D 69 6C D2 84 A0 95 C0 87 CB F1 A2 75 C2 87 E0 47 58 91 A9 F5 64 90 22 54 5D 45 16 82 18 7C C6 18 F3 EA 39 55 D5 D1 D4 47 1A D7 E5 B5 BE 5E 36 00 C1 F8 A2 1A 3A 69 25 EC 5D 7F D2 D1 6E 59 7E FF FA 5D 2E 99 36 F9 13 A4 45 E5 9F C5 A5 39 67 E9 02 A8 57 92 A1 31 EC C6 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p> <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px"></span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ������������

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Renames multiple (6047) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe
    "C:\Users\Admin\AppData\Local\Temp\d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\d9135507e8dbcf15a852ec34623ea6b6d633e10032c94f187ef357ba821af893.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\how_to_back_files.html
    Filesize

    4KB

    MD5

    ff4461b3f69aebc0c6334f19d3d478e3

    SHA1

    19248bc315ae93eaedd73101280cff608cdf2a0c

    SHA256

    693d7f9da7bf6a40a67a58e01ed23b82b350d27ae7c588b888cbd3a1648131ae

    SHA512

    ff95c2bdb16be1ca425c19a341e84256acf6ec75ceac131c541ba06c4cce16fbc416754a05791cec3fba111ac9ab413e13b6e71335abf7cb0a7d69d431359423

    Download Submit

  • memory/3196-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3196-1359-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download