Globeimposter Ransomware Delivered via Necurs Botnet

VTI Information

VTI Score 100 / 100
VTI Database Version	2.6
VTI Rule Match Count	40
VTI Rule Type	Scripts

Detected Threats

	File System	Modify content of user files
	Modify the content of multiple user files. This is an indicator for an encryption attempt.
	File System	Rename user files
	Rename multiple user files. This is an indicator for an encryption attempt.
	File System	Create many files
	Create above average number of files.
	Injection	Modify control flow of a process running from a created or modified executable
	"c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe" alters context of "c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe"
	"c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe" alters context of "c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe"
	Process	Read from memory of another process
	"c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe" reads from "C:\Users\CIIHMN~1\AppData\Local\Temp\vwOrbzLbc.exe".
	"c:\users\ciihmnxmn6ps\appdata\roaming\vworbzlbc.exe" reads from "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe".
	Persistence	Install system startup script or application
	Add "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vwOrbzLbc.exe" to windows startup via registry.
	File System	Handle with malicious files
	File "c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe" is a known malicious file.
	PE	Execute dropped PE file
	Execute dropped file "c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe".
	Masquerade	Change folder appearance
	Folder "c:\users" has a changed appearance.
	Folder "c:\users\public" has a changed appearance.
	Folder "c:\users\public\videos" has a changed appearance.
	Folder "c:\users\public\pictures" has a changed appearance.
	Folder "c:\users\public\music" has a changed appearance.
	Folder "c:\users\public\libraries" has a changed appearance.
	Folder "c:\users\public\downloads" has a changed appearance.
	Folder "c:\users\public\documents" has a changed appearance.
	Folder "c:\users\public\desktop" has a changed appearance.
	Folder "c:\users\public\accountpictures" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\videos" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\searches" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\saved games" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\pictures" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\pictures\saved pictures" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\pictures\camera roll" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\onedrive" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\music" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\links" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\favorites" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\favorites\links" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\downloads" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\documents" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\documents\my shapes" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\desktop" has a changed appearance.
	Folder "c:\users\ciihmnxmn6ps\contacts" has a changed appearance.
	Folder "c:\program files (x86)" has a changed appearance.
	Network	Download data
	URL "http://rorymartin8.info/hudgy356?".
	Network	Connect to HTTP server
	URL "http://rorymartin8.info/hudgy356?".
	PE	Drop PE file
	Drop file "c:\users\ciihmn~1\appdata\local\temp\vworbzlbc.exe".
	Drop file "c:\users\ciihmn~1\appdata\local\temp\nsma14e.tmp\system.dll".