Globeimposter Ransomware Delivered via Necurs Botnet

VTI Information

VTI Score 100 / 100
VTI Database Version	2.6
VTI Rule Match Count	40
VTI Rule Type	Scripts

Detected Threats

	File System
	Modify content of user files
	Modify the content of multiple user files. This is an indicator for an encryption attempt.
	Rename user files
	Rename multiple user files. This is an indicator for an encryption attempt.
	Create many files
	Create above average number of files.
	Handle with malicious files
	File "c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe" is a known malicious file.
	Injection
	Modify control flow of a process running from a created or modified executable
	"c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe" alters context of "c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe"
	"c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe" alters context of "c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe"
	Masquerade
	Change folder appearance
	Folder "c:\users" has a changed appearance.
	Folder "c:\users\public" has a changed appearance.
	Folder "c:\users\public\videos" has a changed appearance.
	Folder "c:\users\public\pictures" has a changed appearance.
	Folder "c:\users\public\music" has a changed appearance.
	Folder "c:\users\public\libraries" has a changed appearance.
	Folder "c:\users\public\downloads" has a changed appearance.
	Folder "c:\users\public\documents" has a changed appearance.
	Folder "c:\users\public\desktop" has a changed appearance.
	Folder "c:\users\public\accountpictures" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\videos" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\searches" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\saved games" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\pictures" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\pictures\saved pictures" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\pictures\camera roll" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\onedrive" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\music" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\links" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\favorites" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\favorites\links" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\downloads" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\documents" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\documents\my shapes" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\desktop" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\contacts" has a changed appearance.
	Folder "c:\program files (x86)" has a changed appearance.
	Network
	Download data
	URL "http://rorymartin8.info/hudgy356?".
	Connect to HTTP server
	URL "http://rorymartin8.info/hudgy356?".
	PE
	Execute dropped PE file
	Execute dropped file "c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe".
	Drop PE file
	Drop file "c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe".
	Drop file "c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll".
	Persistence
	Install system startup script or application
	Add "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe" to windows startup via registry.
	Process
	Read from memory of another process
	"c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe" reads from "C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe".
	"c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe" reads from "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe".
-	Anti Analysis
-	Browser
-	Device
-	OS
-	Hide Tracks
-	Information Stealing
-	Kernel
-	User
-	VBA Macro
-	YARA