c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 18:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe
Size

287KB
MD5

aa51e5cc726fe1f679def8d69913c8ae
SHA1

98d1d15f67349b20497a6c93adc86c724cebfc61
SHA256

c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898
SHA512

2bbd03f2d969dbf131e8d84040fa7f6bec9cb233ccb8224df66c86b204eacad960f79ef879985429fe05d4606bac326b777d6799aedb05c8954f911ca0cf6d89
SSDEEP

6144:yZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876saRj9COsxURPmH1q79VyVYe:0XmwRo+mv8QD4+0N46lnCOse5mH1q79u

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
10	3508	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
4036	crypt.exe
2424	crypt.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe

Loads dropped DLL 1 IoCs

pid	Process
4036	crypt.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	104.156.253.167

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gorn = "C:\\Program Files (x86)\\Gorn\\Gorn\\crypt.exe"	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4036 set thread context of 2424	4036	crypt.exe	86

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\2.txt	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\1.txt	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\crypt.exe	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\Uninstall.exe	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe
File created	C:\Program Files (x86)\Gorn\Gorn\Uninstall.ini	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x0001000000022e03-138.dat	nsis_installer_1
behavioral2/files/0x0001000000022e03-138.dat	nsis_installer_2
behavioral2/files/0x0001000000022e03-139.dat	nsis_installer_1
behavioral2/files/0x0001000000022e03-139.dat	nsis_installer_2
behavioral2/files/0x0001000000022e03-146.dat	nsis_installer_1
behavioral2/files/0x0001000000022e03-146.dat	nsis_installer_2

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 2464	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	76
PID 3144 wrote to memory of 2464	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	76
PID 3144 wrote to memory of 2464	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	76
PID 3144 wrote to memory of 3508	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	80
PID 3144 wrote to memory of 3508	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	80
PID 3144 wrote to memory of 3508	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	80
PID 3144 wrote to memory of 4036	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	81
PID 3144 wrote to memory of 4036	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	81
PID 3144 wrote to memory of 4036	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	81
PID 3144 wrote to memory of 2328	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	82
PID 3144 wrote to memory of 2328	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	82
PID 3144 wrote to memory of 2328	3144	c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe	82
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86
PID 4036 wrote to memory of 2424	4036	crypt.exe	86

C:\Users\Admin\AppData\Local\Temp\c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe
"C:\Users\Admin\AppData\Local\Temp\c0c6f85809a7c9d622f1e8dea83c4286056f60e6cb593ff3e8883ffb7ca90898.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:2464
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:3508
- C:\Program Files (x86)\Gorn\Gorn\crypt.exe
  "C:\Program Files (x86)\Gorn\Gorn\crypt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Program Files (x86)\Gorn\Gorn\crypt.exe
    "C:\Program Files (x86)\Gorn\Gorn\crypt.exe"
    3⤵
    - Executes dropped EXE
    PID:2424
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs"
  2⤵
  PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gorn\Gorn\1.txt

Filesize
15B

MD5
ebdd316e38c04b92f7b058a2baf1705d

SHA1
d97a66d9503a15341b102959667b9541cf5a5912

SHA256
1282a4ac215edeed04d3fd8b04fb5f78aaa69344b7f30687c062b2ac8515a1d0

SHA512
fb1fc4fca7ded425b46401ed404ad169202ddad254a1ad37c4612c51b2f1433c51c8bdfef13ae38cecef91db004008bcf34e5222e607ba718d81070321c28d87

Download Submit
C:\Program Files (x86)\Gorn\Gorn\2.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Gorn\Gorn\crypt.exe

Filesize
66KB

MD5
18f944a664eaa45ccfa4edbd8a4f4330

SHA1
076132ef433473a6247b2ecbe12552859e0f43ed

SHA256
0ec4422d687f49f2e534ef8b133826da987b81b8a32ab398474dc3891b0decf9

SHA512
6c87f298592e73a1c9d21982cbbd2825ddb1148f3ded44fd987122d8202e38e39438158c957d7755634bda160ff6ddc83bea710ee467e479da59c466f01bd1fb

Download Submit
C:\Program Files (x86)\Gorn\Gorn\crypt.exe

Filesize
66KB

MD5
18f944a664eaa45ccfa4edbd8a4f4330

SHA1
076132ef433473a6247b2ecbe12552859e0f43ed

SHA256
0ec4422d687f49f2e534ef8b133826da987b81b8a32ab398474dc3891b0decf9

SHA512
6c87f298592e73a1c9d21982cbbd2825ddb1148f3ded44fd987122d8202e38e39438158c957d7755634bda160ff6ddc83bea710ee467e479da59c466f01bd1fb

Download Submit
C:\Program Files (x86)\Gorn\Gorn\crypt.exe

Filesize
66KB

MD5
18f944a664eaa45ccfa4edbd8a4f4330

SHA1
076132ef433473a6247b2ecbe12552859e0f43ed

SHA256
0ec4422d687f49f2e534ef8b133826da987b81b8a32ab398474dc3891b0decf9

SHA512
6c87f298592e73a1c9d21982cbbd2825ddb1148f3ded44fd987122d8202e38e39438158c957d7755634bda160ff6ddc83bea710ee467e479da59c466f01bd1fb

Download Submit
C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs

Filesize
820B

MD5
9856fd0106952ac90e9a46603b4c2e99

SHA1
1e68c7d66a59742467cd1c05c9a3fb96d5edbd84

SHA256
8135a2cd678cab2ff0f39c92a0020014526e1b731043f882eeeb9284a447a074

SHA512
a314ec7dcdc39178fe755fd5c816c1a44507b58e4f8f26ac33090f8670ae5b5bf0d771272f43c6f08f60e0af3cba0b7c90ca5ef9fdaa45de81709af574aadd39

Download Submit
C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs

Filesize
292B

MD5
7f8f3324d82ef7e9b0902510bb5f499a

SHA1
8d40d7b7008704b3d0d54e3c4295a0242f1c873f

SHA256
73815e09eb964909dda4064a7afb7aa29f32eabcb5151d192ef13a3b3a6ce786

SHA512
c3180b10cc9f40c6c57b03b5f240438f76d91b4f74a7f375f5abcb0ed33963d2af1e3d54b5e736ff13a65ffa1d658a2433d9b9f07bacc92563d59809f849a804

Download Submit
C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat

Filesize
1KB

MD5
1778db2e3e3c2e41412a2cf8539450dd

SHA1
cff8fbd5fa40d7d6e14d835af380f013f464e3fa

SHA256
d091a029e4eaf28c9dbfb8b1f872ed57220cfe5012d19480719864e8801b0be3

SHA512
8000409ac1a33b280f86f2020c13c2b20b7624777645af7282df6575ba38cd1ccc31c8bc4a2faed3101d6691affe3fa3b8555a179f2508e8e67c551b8773b7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuC663.tmp\foretellers.dll

Filesize
15KB

MD5
fac28d6c0c9b08d4fab2dc53aee7ef26

SHA1
c834b5926e7367cf60b74967748a66b3f9dea9eb

SHA256
ba91096f2bf797674df8d04dc1ec79a497547b52a93f7e783293c70db6206a84

SHA512
41c1f0eb2a8774db3eef1a7efe8a4dadd82f7e0044f34a2736d5fd602158609ceec151444286398f284757447b1c07053f81b106a9ea178fc62ec9dd78a00b23

Download Submit
memory/2424-145-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2424-148-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2424-149-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download