Overview

overview

10

Static

static

3

2025-03-21...er.exe

windows7-x64

10

2025-03-21...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2025, 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-21_40bf68ccfd6cc1e938c30faff5ea82eb_globeimposter.exe

  • Size

    55KB

  • MD5

    40bf68ccfd6cc1e938c30faff5ea82eb

  • SHA1

    47cecf43767573b747dbd90eb867309b317a1f31

  • SHA256

    f097296a2299a5647911101d715f20a718124729114cd20c451354d653fbee11

  • SHA512

    ce754158c6ed422959b221cc0099ece44f45de8c34e92dfa9b8c5c739f262d604f8b6439a965ca24c72b2ac80a4a6f0df7e1858daf2cd62a6a27f4bce9380da0

  • SSDEEP

    1536:8bgutzZi79QlgTHf4tq6KhxXwr3+i/EM:8tz479QlOWWXKpf

Score
10/10
globeimposterdefense_evasiondiscoverypersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Public\Pictures\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 5px; color: #FF0000; background: #303030; } .letter { color: #DC143C; font-weight: 600 } .tabs1 .identi { margin-left: 0px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top:0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>47 0A A3 FD 04 59 79 C7 C7 A9 13 BF B1 5D BE F9 72 D3 A4 E6 17 A7 71 1C BF 8D 25 FE BD 97 83 BE FF AE 58 B1 83 B8 26 7B E9 05 1B B7 D3 54 69 5D 32 F8 C6 4B 40 76 EC 3D D1 07 0E 78 78 74 D2 7C F5 38 02 02 3D 33 71 83 E1 48 E0 9C 12 6A 4B 1F 27 77 DA E9 93 9A 9C 5F AA B1 EF 1C 10 D8 A8 ED 4A C3 7C 1A FD CB B6 E0 60 FA 3D 8D 4B 03 1F 3E 85 88 BB B4 D4 53 D9 20 48 C7 8B AB 1F C8 2D F3 9D 46 35 DE 2E F7 C9 E4 14 B1 76 BD 2C 6E BE B6 D9 CE 14 12 59 3B A1 4B AC BF 29 74 DC 73 10 DC D3 C0 D5 3B FD DC 45 AF A0 1B 5F B3 DE 30 43 6F 25 45 C0 92 11 B4 1F 70 54 14 48 19 08 FF 20 49 BF 59 E1 D5 99 BD 6F 67 35 BD 75 37 22 FC A1 AB 6F 37 D5 F8 2B C8 11 B8 E7 6C 59 39 B6 3F 47 97 4D 1D 86 0C 8C 1A A7 30 26 84 79 98 9A 65 1D AC 72 BF EE 13 C8 60 FF F5 E5 90 7E 92 10 09 DC B4 </p> </pre><!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>&#9763; Your files are encrypted! &#9763;</h1> <hr/> <h3> To decrypt, follow the instructions below. </h3> <br/> <div class="text"> <!--text data --> To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 crypted test image or text file or document to <span class="letter"> [email protected]</span></br> (Or alternate mail <span class="letter"> [email protected]</span>)<p> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <hr color=red> <center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center> <center><p style="color:#FF0000"> You can not decrypt your files cheaper than we offer you. You can refer to other services that promise to decrypt you, BUT IT WILL BE MORE EXPENSIVE. No one, except [email protected], will decrypt your files with a guarantee 100%. </p></center> <hr color=red> <ul> <li>Only [email protected] can with a guarantee decrypt your files </li> <li>Do not trust anyone besides [email protected]</li> <li>Antivirus programs can delete this document and you can not contact us later.</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> <!--text data --> </div> </div> </div> <!--tab--> </ul> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

[email protected]</span></br>

[email protected]</span>)<p>

[email protected]

[email protected]</li>

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Renames multiple (9084) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Clears Network RDP Connection History and Configurations 1 TTPs 2 IoCs

    Remove evidence of malicious network connections to clean up operations traces.

    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 30 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-21_40bf68ccfd6cc1e938c30faff5ea82eb_globeimposter.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-21_40bf68ccfd6cc1e938c30faff5ea82eb_globeimposter.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp9541.tmp.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
        3⤵
        • Clears Network RDP Connection History and Configurations
        • System Location Discovery: System Language Discovery
        PID:2920
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
        3⤵
        • Clears Network RDP Connection History and Configurations
        • System Location Discovery: System Language Discovery
        PID:428
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4188
      • C:\Windows\SysWOW64\attrib.exe
        attrib Default.rdp -s -h
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:3400
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-03-21_40bf68ccfd6cc1e938c30faff5ea82eb_globeimposter.exe > nul
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Indicator Removal

2
T1070

Clear Network Connection History and Configurations

1
T1070.007

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-805952410-2104024357-1716932545-1000\desktop.ini
    Filesize

    1KB

    MD5

    7f65086b636308452458d483bffdd8b3

    SHA1

    279a2008e8ef9f22ad2e8a97e06ab44d54ff269f

    SHA256

    62a7f29bfc93b19c9de2d32930e256d520b2793f03695693443dde0844335469

    SHA512

    b45330b31487d55203d06415f6accbfc34b796bed391b504457c3896bec95d57858cf2713e78a8c89b3cd3413074ad1cc3253c9020ef31904c5991417b3dfaa9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9541.tmp.bat
    Filesize

    445B

    MD5

    32d8f7a3d0c796cee45f64b63c1cca38

    SHA1

    d58466430a2bba8641bd92c880557379e25b140c

    SHA256

    1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

    SHA512

    288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

    Download Submit

  • C:\Users\Public\Pictures\how_to_back_files.html
    Filesize

    5KB

    MD5

    503d1741713459fa206533c8a84a378a

    SHA1

    a6f418f86e4bbde4e808f1b8015b32718664baf1

    SHA256

    653b89066f0f5277d48c06ad54a05335f13500399b2752adc1cbd22729c1a7c9

    SHA512

    94b4a546f7e08b3ba5f6106e864975f041db76ce67d6162d03ba8bc77a92f1768c96891a3630ce38bc87dd52f3f6a96847cb6e4bcb0e71bede17992c0aae0674

    Download Submit