Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 14:58
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe
Resource
win10v2004-20220901-en
General
-
Target
HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe
-
Size
275KB
-
MD5
23fa40a66b8c641f8324c2b659c341be
-
SHA1
8eeea57eb2af7bb571f023b29d59202e97eaab59
-
SHA256
4c9b1b4db3fd9b0cd9b7163cdbee3c321cd2046516f65443345d34eeaba05b05
-
SHA512
ad47eb6357936125ebb8d10a1dea5c42357178fc0e7243adf50a4a9677fb78ca49912fae43d0a0f86cdc0c1215a43dd60f194f7ebcd5cea9ad438d8f5f8eea58
-
SSDEEP
3072:UYH88y9uczJx44Dolo4fFSpTjP17qWyW3zbx2vyE7S1M2Q:Ply9uczJxRDolZgV1dnbkORQ
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3768 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2806cdb1ef67986308064d5873a67ad7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2806cdb1ef67986308064d5873a67ad7 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe Token: 33 3768 server.exe Token: SeIncBasePriorityPrivilege 3768 server.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exeserver.exedescription pid process target process PID 4340 wrote to memory of 3768 4340 HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe server.exe PID 4340 wrote to memory of 3768 4340 HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe server.exe PID 3768 wrote to memory of 1932 3768 server.exe netsh.exe PID 3768 wrote to memory of 1932 3768 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Gorgon.gen-4c9b1b4db3fd9b0cd.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
275KB
MD523fa40a66b8c641f8324c2b659c341be
SHA18eeea57eb2af7bb571f023b29d59202e97eaab59
SHA2564c9b1b4db3fd9b0cd9b7163cdbee3c321cd2046516f65443345d34eeaba05b05
SHA512ad47eb6357936125ebb8d10a1dea5c42357178fc0e7243adf50a4a9677fb78ca49912fae43d0a0f86cdc0c1215a43dd60f194f7ebcd5cea9ad438d8f5f8eea58
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
275KB
MD523fa40a66b8c641f8324c2b659c341be
SHA18eeea57eb2af7bb571f023b29d59202e97eaab59
SHA2564c9b1b4db3fd9b0cd9b7163cdbee3c321cd2046516f65443345d34eeaba05b05
SHA512ad47eb6357936125ebb8d10a1dea5c42357178fc0e7243adf50a4a9677fb78ca49912fae43d0a0f86cdc0c1215a43dd60f194f7ebcd5cea9ad438d8f5f8eea58
-
memory/1932-139-0x0000000000000000-mapping.dmp
-
memory/3768-134-0x0000000000000000-mapping.dmp
-
memory/3768-138-0x00007FF948800000-0x00007FF9492C1000-memory.dmpFilesize
10.8MB
-
memory/3768-140-0x00007FF948800000-0x00007FF9492C1000-memory.dmpFilesize
10.8MB
-
memory/4340-132-0x0000000000B10000-0x0000000000B52000-memory.dmpFilesize
264KB
-
memory/4340-133-0x00007FF948800000-0x00007FF9492C1000-memory.dmpFilesize
10.8MB
-
memory/4340-137-0x00007FF948800000-0x00007FF9492C1000-memory.dmpFilesize
10.8MB