Malspam activity was noted on July 26 2017 delivering GlobeImposter ransomware. This threat advisory will shed some light on the activity from the perspective of NetWitness Packets and NetWitness Endpoint.
Upon running the embedded VBA code, traffic was observed to a delivery domain to download an obfuscated payload:
This network behavior was shared among multiple infected machines:
The download sessions were tagged with the following meta values in NetWitness Packets:
The downloaded payload is de-obfuscated and saved to the user's %Temp% directory as hurds8.exe:
The binary starts by copying itself to a new directory and by modifying the registry to gain persistency on the system:
It also drops and runs a batch script in the %TEMP% directory with typical instructions for ransomware:
The screenshot below shows part of the tracking history of an infected machine:
The following screenshot shows the module IIOC's for hurds8.exe as well as its tracking information:
Notice in the tracking data how the ransomware is using .707 extension to rename the newly encrypted files. This GlobeImposter variant drops the following ransom note:
GlobeImposter delivery documents (SHA256):
GlobeImposter ransomware variant (SHA256):
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.