Overview

overview

8

Static

static

.exe

windows7-x64

8

.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .exe

  • Size

    325KB

  • MD5

    632815f4f93a1e88dd062c0a75b2ebda

  • SHA1

    1aae28c24d933827985786bb79074a673eb77546

  • SHA256

    002afb2d4477706349ddac2f2f75437d83ab530fff16502482b20cf70ab5fc01

  • SHA512

    a6bb05a6f1284a05fdad1437656aeadafadc2c0cd30ccdb5eff88f133542eb129234f88d40cf476c6fe040868c4e32db217980d36329d0c4b1e4a8b5fdd9674e

  • SSDEEP

    6144:yZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876safCSQSCyd0oGOUdFPI4l5XdhSJ0:0XmwRo+mv8QD4+0N46lf1wyd0SUrvHzL

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 8 IoCs
    installer
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\.exe
    "C:\Users\Admin\AppData\Local\Temp\.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat" "
      2⤵
      • Drops file in Drivers directory
      PID:1680
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs"
      2⤵
      • Blocklisted process makes network request
      PID:1204
    • C:\Program Files (x86)\Gorn\Gorn\crypt.exe
      "C:\Program Files (x86)\Gorn\Gorn\crypt.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Program Files (x86)\Gorn\Gorn\crypt.exe
        "C:\Program Files (x86)\Gorn\Gorn\crypt.exe"
        3⤵
        • Executes dropped EXE
        PID:1384
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs"
      2⤵
        PID:456

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Gorn\Gorn\1.txt
      Filesize

      16B

      MD5

      3a26a67ff49cfa2b84e33228fdff96e2

      SHA1

      1f8920d5876bb24722239fccc326ab615eb8a9f6

      SHA256

      4a024516bd3c52b19f238e652858c41e30ac917033a4ed6a09bc844870801ad9

      SHA512

      b7010dd1d96b82103856f7658025fd565970e1c162ba7396eb1a7455db377e29544943ef13c6cb6b057d1b29f02d2d88e4919216f5df2e0e3ac96b02f5f96763

      Download Submit
    • C:\Program Files (x86)\Gorn\Gorn\2.txt
      Filesize

      27B

      MD5

      213c0742081a9007c9093a01760f9f8c

      SHA1

      df53bb518c732df777b5ce19fc7c02dcb2f9d81b

      SHA256

      9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

      SHA512

      55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

      Download Submit
    • C:\Program Files (x86)\Gorn\Gorn\crypt.exe
      Filesize

      96KB

      MD5

      3a8325ed380fc84c9904dbb69648f027

      SHA1

      cdfad9f6c4da4e18cf4642914bf9a240b24e201c

      SHA256

      2202a050f5ed24bc79b12258b13628e18f452607e2d6e36ef5d29af3d263d2cc

      SHA512

      3feb1573968842819a931164bf08b313cc9ae58044cd0321cd7c8302d6c6ff52b59e6d7f38997d35fadbd31e73531716237e56633cef08fc87ed810771665a5b

      Download Submit
    • C:\Program Files (x86)\Gorn\Gorn\crypt.exe
      Filesize

      96KB

      MD5

      3a8325ed380fc84c9904dbb69648f027

      SHA1

      cdfad9f6c4da4e18cf4642914bf9a240b24e201c

      SHA256

      2202a050f5ed24bc79b12258b13628e18f452607e2d6e36ef5d29af3d263d2cc

      SHA512

      3feb1573968842819a931164bf08b313cc9ae58044cd0321cd7c8302d6c6ff52b59e6d7f38997d35fadbd31e73531716237e56633cef08fc87ed810771665a5b

      Download Submit
    • C:\Program Files (x86)\Gorn\Gorn\crypt.exe
      Filesize

      96KB

      MD5

      3a8325ed380fc84c9904dbb69648f027

      SHA1

      cdfad9f6c4da4e18cf4642914bf9a240b24e201c

      SHA256

      2202a050f5ed24bc79b12258b13628e18f452607e2d6e36ef5d29af3d263d2cc

      SHA512

      3feb1573968842819a931164bf08b313cc9ae58044cd0321cd7c8302d6c6ff52b59e6d7f38997d35fadbd31e73531716237e56633cef08fc87ed810771665a5b

      Download Submit
    • C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs
      Filesize

      820B

      MD5

      a6a354ab320e9f261634544ac79c1303

      SHA1

      a596fff074a1f4e3500de8bd13431f59b7affa26

      SHA256

      bba00f7a29d69e07a511a0c22900a49474277f2f60e888652c22edf05d058adb

      SHA512

      a0a1f2d487fa1421310c5696e477421c0394eae226bb3926d6f67961c2fe67893f324bb2f658f31473d9c98357c37c740e480cd4f7b1a28f60f66a190dda6c3f

      Download Submit
    • C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs
      Filesize

      304B

      MD5

      d1661e92f33f991c9b39cbdd87e09eb2

      SHA1

      69a8be30c87670883071bc0433a14b5684cd4eb9

      SHA256

      32d63fcbfe75b5fd2ef99c8ef81e5c1192659c51632fdc31042b9e70ff837d34

      SHA512

      57e7ca904741ea3b9f14695ae94d8f7a6561c36f5da486bb390bed3c177d7dd8165927ab4d8c7b89ffc4bd8af8fbb2b4aeb3cac35be91543ffe63fb64ef2dc25

      Download Submit
    • C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat
      Filesize

      1KB

      MD5

      80add2b40d0cee2e7c84dfdb9366d557

      SHA1

      d980810f0cacfc964e6c09df5c5fe981f0c68c88

      SHA256

      81a6609fb691be373f24e7b6dd416436cfe311daff37f69d0ee2320dfe3d3593

      SHA512

      34402823b51f17d0a414b86f9201b860e38197dd1d4f660382891d321ad67f283b600722e29d0c81b3a9c2a30931d1be1da184647475bef2a35c1ab7b02b2b15

      Download Submit
    • \Program Files (x86)\Gorn\Gorn\crypt.exe
      Filesize

      96KB

      MD5

      3a8325ed380fc84c9904dbb69648f027

      SHA1

      cdfad9f6c4da4e18cf4642914bf9a240b24e201c

      SHA256

      2202a050f5ed24bc79b12258b13628e18f452607e2d6e36ef5d29af3d263d2cc

      SHA512

      3feb1573968842819a931164bf08b313cc9ae58044cd0321cd7c8302d6c6ff52b59e6d7f38997d35fadbd31e73531716237e56633cef08fc87ed810771665a5b

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsj20CC.tmp\setters.dll
      Filesize

      64KB

      MD5

      a32646c77d7c86b39b509ad76e1f3964

      SHA1

      143a1a49259c933fe6c2d1644b87729637db6ea1

      SHA256

      e6cb15079157e3ff3eb899a51bce0331fae5c1346e8dc0836adab34001047d0d

      SHA512

      2d7e73a9719a5b5ee46a1432f25cb8436808dbbf352e7b6c25d9bef5d5fb92bfabab858571efd7a02b0e9966f275f6f037a91a48d0aa995cc13ee0fef0ff07ae

      Download Submit
    • memory/456-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1204-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1384-76-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-78-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-71-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-72-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-74-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-86-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-77-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-85-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-79-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-80-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-81-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1384-82-0x00000000004012A0-mapping.dmp
      Download
    • memory/1680-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1884-61-0x0000000000000000-mapping.dmp
      Download
    • memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmp
      Filesize

      8KB

      Download