Play interactive tourEdit tour
Windows Analysis Report Mm7Yq5V7Lu
Overview
General Information
Detection
Globeimposter
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Globeimposter Ransomware
Yara detected AntiVM3
Found ransom note / readme
Multi AV Scanner detection for dropped file
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: GlobeImposter |
---|
{"Ransom Note": "All your files are Encrypted!\r\nFor data recovery needs decryptor.\r\nHow to buy decryptor:\r\n----------------------------------------------------------------------------------------\r\n\r\n| 1. Download Tor browser - https://www.torproject.org/ and install it.\r\n\r\n| 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV\r\n \r\n| 3. Create Ticket\r\n\r\n----------------------------------------------------------------------------------------\r\n\r\nNote! This link is available via Tor Browser only.\r\n\r\n------------------------------------------------------------\r\nor\r\nhttp://helpqvrg3cc5mvb3.onion/\r\n\r\nYour ID\r\n\r\n\u0000\u0000\u000067 0D B5 3D F6 72 46 45 EA F4 35 88 36 1B D3 0A\nA4 5C F3 89 B8 97 4A A6 3B 8D 1B 03 20 3F 20 FB\nA9 A9 BB F7 1D 8A 3E F3 F5 4C F1 75 40 F0 F9 40\nE7 0E 1A F5 A6 2C 34 4E EA 7E 57 FF C3 B0 D4 66\nC0 3A 96 97 4F D7 A5 2E F8 34 8C 85 9D 35 0D 82\n5C C4 72 95 44 72 E0 8C 13 47 E1 4B E4 06 9C 9C\n92 37 F5 A5 82 7E BD B8 8B 53 FC 81 5E 36 04 9D\n12 19 C5 B3 01 AC 42 2A DA 75 B7 FF E0 DC A7 A0\n72 7A 63 F5 DF D6 CF 9A 1F 22 EF B3 5F 90 95 5D\n30 CC D9 A2 AF 7F 0F F4 86 13 44 1F EF 77 E2 C0\nE2 CF CF 82 7A 3E E5 7A D3 02 EB 7B B0 30 B9 D2\nAC 29 2A AF EC C8 3D A9 AA B5 1D CE 27 B0 75 4C\n5F 0D FC 69 CA 00 78 C4 6A F5 D2 6A C8 7A BF 10\n6E 87 47 0F 27 E2 3D C8 E2 A9 71 09 DD A0 98 32\nE4 CF 64 F2 41 66 A4 8E FA DD 9C 6D 4A EF 7A F5\n79 91 A5 31 FC 9B 61 4E 9C 5D 08 F9 41 2A 1E 74\n"}
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Globeimposter | Yara detected Globeimposter Ransomware | Joe Security | ||
JoeSecurity_Globeimposter | Yara detected Globeimposter Ransomware | Joe Security | ||
JoeSecurity_Globeimposter | Yara detected Globeimposter Ransomware | Joe Security | ||
JoeSecurity_Globeimposter | Yara detected Globeimposter Ransomware | Joe Security | ||
JoeSecurity_Globeimposter | Yara detected Globeimposter Ransomware | Joe Security |