Overview

overview

10

Static

static

56b483bc7b...9c.exe

windows7_x64

10

56b483bc7b...9c.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    65s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    21/06/2020, 03:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe

  • Size

    206KB

  • MD5

    7df850b43f3f28a67b8160c4265bc726

  • SHA1

    522377eced5e1694d36e45da75037d87e84b3729

  • SHA256

    56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c

  • SHA512

    c6bb2271a794da8a7b5ac6f7e634f1d4173dbaa54fbc778dd29651fc99a5096b974f3bdd0c28775392760f8253bdb55ff7303a33915525ccd0d6a4f52d526225

Score
10/10
ransomware

Malware Config

Extracted

Path

\??\c:\GOMER-README.txt

Ransom Note
! ATTENTION ! -------------------------------------------------------------------------------------------- ! STRICTLY FORBIDDEN TO USE THIRD-PARTY DECRYPTION SOFTWARE - FILES WILL BE LOST ! -------------------------------------------------------------------------------------------- Due vulnerability in your system all files have been protected with strong private key to safe them from unathorized access. To RESTORE your files, follow this instructions: 1. Gomer service charges a payment for file decryption tool 2. Contact us with attached Gomer-readme.txt 3. Receive Gomer file decryption tool 4. Run the tool and successfully RESTORE all your files! We guarantee: 100% Successful restoring all of your files 100% Satisfaction guarantee 100% Fast and secure service As a proof of our trusted service, you can send us 1 file and get it decrypted for free! -------------------------------------------------------------------------------------------- ! ONLY ORIGINAL GOMER DECRYPTION TOOL CAN RESTORE YOUR FILES ! -------------------------------------------------------------------------------------------- Contacts: [email protected] Payments accepted: Bitcoin (BTC) ID KEY: Mv3RUPxA6TZHn7KyHUB8KVFt9yRJC2oYK6eaHoaoBgjNxWSLejVonVc53ILwv32V R6kWKpBdEL02Mt2tKQJjYayelxo92qSkqMTyvI+VdBYcmHY9ZeugaKaYy3VDJUNf z1P7VISk75+l/XTTIMXiWKX0TR25ZRx5T5hb3L2duzc= ~ GOMER ~ 8fXme2nyNr0CHdqGO3R4EQ==

Signatures

  • Runs ping.exe 1 TTPs 1 IoCs
  • Drops file in Program Files directory 17119 IoCs
  • Modifies data under HKEY_USERS 91 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Drops desktop.ini file(s) 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
    "C:\Users\Admin\AppData\Local\Temp\56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Drops desktop.ini file(s)
    PID:1516
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C rd /q /s "%systemdrive%\$Recycle.bin"
      2⤵
        PID:2576
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.1.1 -n 1 -w 3000
          3⤵
          • Runs ping.exe
          PID:2208
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
      1⤵
      • Modifies data under HKEY_USERS
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      PID:584
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:1124

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1516-15-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-18-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-2-0x0000000003E90000-0x0000000003E91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-3-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-4-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-5-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-6-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-7-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-8-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-9-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-10-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-11-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-12-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-13-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-14-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-16-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-1-0x0000000003690000-0x0000000003691000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-17-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-34-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-20-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-21-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-22-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-24-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-26-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-27-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-28-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-29-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-30-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-32-0x0000000004190000-0x0000000004191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-33-0x0000000003990000-0x0000000003991000-memory.dmp

      Filesize

      4KB

      Download