Overview

overview

10

Static

static

3

2025-02-25...er.exe

windows7-x64

10

2025-02-25...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/02/2025, 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-25_91bd0b85cea886e49a28feeb72aed5d8_globeimposter.exe

  • Size

    53KB

  • MD5

    91bd0b85cea886e49a28feeb72aed5d8

  • SHA1

    fd4df46ac3b7ce3e0817b4426b99e3b505818d80

  • SHA256

    7ef6352f29723ff4f3702fd5e6d041695ccda89105d47b6aff5bf87521fe2345

  • SHA512

    3ee45ad61fea9fb9a6e15198d4956154610a53409ed0c5fb643d1acf819246fa12ffdbd4c904e439846dd0bb1ae656c21c29d0a9519a483ea5fa8e77282910a8

  • SSDEEP

    768:uTHskvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5v5E9r:x2eytM3alnawrRIwxVSHMweio3Z5i

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\HOW_TO_BACK_FILES.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">��������������84 65 75 4E 44 F4 86 25 30 2B E0 6A DD A5 C1 11 FF E7 AE 48 00 A5 8A 92 11 80 EF 3A 43 1D 2A 11 75 C7 01 F9 99 77 3E 99 FA 7F 1F 9C D5 89 25 A9 99 E5 EC DE A4 38 44 E2 41 B8 D7 2A 57 E1 2C 74 72 11 56 0B 04 F5 D4 2C 41 25 F7 13 D5 CF 08 8F 6F 17 8F D2 B5 00 BB 53 EF 90 0B 85 3C 7D 35 C5 6C 2C D8 1B 8E 96 04 85 A2 B6 E4 B9 21 91 DA B5 BE C3 80 76 94 CC D2 1D 25 94 23 CB 44 50 43 E6 14 21 56 0D 90 B8 C4 42 B5 24 16 94 AB 57 E9 A9 60 56 A2 A3 8A 99 78 74 8D 9F 5E 25 FC D6 D0 D4 24 6C 55 FF 9F 25 36 72 79 C0 AD 65 A4 6F 85 3C 24 36 21 F0 CD B6 C5 38 5E 81 A9 C4 13 68 79 D0 89 2C A9 2C 2F 77 33 FB 3E 83 2F DA F7 52 03 E5 D1 89 14 31 06 2E 26 C4 51 14 63 06 EF 35 0A A1 11 B1 AA 84 C6 72 FA 71 B5 5D DE 25 B4 A3 60 DE 30 49 80 B1 12 05 C4 95 EA B8 25 64 DC 96 4A 50 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>������

Signatures

  • Renames multiple (6044) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-25_91bd0b85cea886e49a28feeb72aed5d8_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-25_91bd0b85cea886e49a28feeb72aed5d8_globeimposter.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-02-25_91bd0b85cea886e49a28feeb72aed5d8_globeimposter.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\HOW_TO_BACK_FILES.html
    Filesize

    4KB

    MD5

    893f793c571daa55d440cb09ba15a543

    SHA1

    e6e41ef95df9a04b4604b9cf9c2b6d8c60a7cb05

    SHA256

    15a923c0294cc3c3af66089513e40badd8e529e0e0da9695f7ece3c909abcb4c

    SHA512

    493900978075c1bc3dbbc35170cd5a3dd986af0112b0d3f85ea37dc1088697cec419c2ea7c5a1f1c8263a2c2e92a2eb6777b70a4a584bd20977e4136da0e0e5c

    Download Submit

  • memory/3232-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3232-1688-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

    Download