e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602

Analysis

max time kernel
150s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
Size

327KB
MD5

eec5f79884c6428a2b0a1c21ef03d985
SHA1

b6de2903e1dda4a2111498bd0cfd47a42ad713fd
SHA256

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602
SHA512

a3dd23147dc17d531ca04b587286525217ec39698c519416766e9e7f162ee4c6248965470d064a2f2c727f15cf0897dd067fa5c290d64b13f3eadacb35b97611
SSDEEP

6144:yZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876saCQBMI14Aucx6qZuYw3e:0XmwRo+mv8QD4+0N46lCYD4ox6qu3e

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

10 1548 WScript.exe
16 1548 WScript.exe
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe
Executes dropped EXE 2 IoCs

Processes:

crypt.execrypt.exe

pid process

1652 crypt.exe
1068 crypt.exe

flow	pid	process
10	1548	WScript.exe
16	1548	WScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

pid	process
1652	crypt.exe
1068	crypt.exe

Loads dropped DLL 2 IoCs

Processes:

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

pid	process
1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 107.161.146.116

description	ioc
Destination IP	107.161.146.116

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Gorn = "C:\\Program Files (x86)\\Gorn\\Gorn\\crypt.exe"	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

crypt.exe

description pid process target process

PID 1652 set thread context of 1068 1652 crypt.exe crypt.exe

description	pid	process	target process
PID 1652 set thread context of 1068	1652	crypt.exe	crypt.exe

Drops file in Program Files directory 8 IoCs

Processes:

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

description	ioc	process
File created	C:\Program Files (x86)\Gorn\Gorn\Uninstall.ini	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\2.txt	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\1.txt	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\crypt.exe	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\Uninstall.exe	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.execrypt.exe

description	pid	process	target process
PID 1752 wrote to memory of 1972	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	cmd.exe
PID 1752 wrote to memory of 1972	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	cmd.exe
PID 1752 wrote to memory of 1972	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	cmd.exe
PID 1752 wrote to memory of 1972	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	cmd.exe
PID 1752 wrote to memory of 1548	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 1752 wrote to memory of 1548	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 1752 wrote to memory of 1548	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 1752 wrote to memory of 1548	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 1752 wrote to memory of 1652	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	crypt.exe
PID 1752 wrote to memory of 1652	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	crypt.exe
PID 1752 wrote to memory of 1652	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	crypt.exe
PID 1752 wrote to memory of 1652	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	crypt.exe
PID 1752 wrote to memory of 1488	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 1752 wrote to memory of 1488	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 1752 wrote to memory of 1488	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 1752 wrote to memory of 1488	1752	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe
PID 1652 wrote to memory of 1068	1652	crypt.exe	crypt.exe

C:\Users\Admin\AppData\Local\Temp\e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
"C:\Users\Admin\AppData\Local\Temp\e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat" "
2⤵
- Drops file in Drivers directory
PID:1972

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs"
2⤵
- Blocklisted process makes network request
PID:1548

C:\Program Files (x86)\Gorn\Gorn\crypt.exe
"C:\Program Files (x86)\Gorn\Gorn\crypt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652

C:\Program Files (x86)\Gorn\Gorn\crypt.exe
"C:\Program Files (x86)\Gorn\Gorn\crypt.exe"
3⤵
- Executes dropped EXE
PID:1068

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs"
2⤵
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gorn\Gorn\1.txt
Filesize
17B

MD5
81c14b0fa2b8ae66463f1ceff75af5d8

SHA1
21d1040445561ff44c3cacd95214cce1ad1fb2f1

SHA256
b70f45bebbe7f01bc43a4079005f1ea98c74ce573f8b26a6d89e66a820453c02

SHA512
90ea8d86898f703706f6111ad773a72eabd4a7f8b370a49c42f8ecf757b4de8bce27e272bbc67750a2b4f1887ced59a84e39690e133f0eea1a6b8d8a17e79f51

Download Submit
C:\Program Files (x86)\Gorn\Gorn\2.txt
Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Gorn\Gorn\crypt.exe
Filesize
108KB

MD5
91349b50e14b443e0a86292ef6d54dff

SHA1
f0e8fdb17a0ddd701428b8077a730ebafd079f7a

SHA256
f5e5d9d09fb00a01dfab46e09471ea978c16dd20fd464b3f4892cc483d3bdf81

SHA512
5483841299149f264befbad88d8fcfbb3f7b8b87b29f68746eb36c46873c7889d37634158452105af2c0cae3912798f1fce556161120925ae0679900d18c8009

Download Submit
C:\Program Files (x86)\Gorn\Gorn\crypt.exe
Filesize
108KB

MD5
91349b50e14b443e0a86292ef6d54dff

SHA1
f0e8fdb17a0ddd701428b8077a730ebafd079f7a

SHA256
f5e5d9d09fb00a01dfab46e09471ea978c16dd20fd464b3f4892cc483d3bdf81

SHA512
5483841299149f264befbad88d8fcfbb3f7b8b87b29f68746eb36c46873c7889d37634158452105af2c0cae3912798f1fce556161120925ae0679900d18c8009

Download Submit
C:\Program Files (x86)\Gorn\Gorn\crypt.exe
Filesize
108KB

MD5
91349b50e14b443e0a86292ef6d54dff

SHA1
f0e8fdb17a0ddd701428b8077a730ebafd079f7a

SHA256
f5e5d9d09fb00a01dfab46e09471ea978c16dd20fd464b3f4892cc483d3bdf81

SHA512
5483841299149f264befbad88d8fcfbb3f7b8b87b29f68746eb36c46873c7889d37634158452105af2c0cae3912798f1fce556161120925ae0679900d18c8009

Download Submit
C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs
Filesize
819B

MD5
51aba170aa19f12bb7744f19d4b70bf6

SHA1
267a1a94e146c5e344d3cdb880987209cb657775

SHA256
e7967af5ad06fbc5b8a7be17f9195bbff9aa6941ded752f424dbbecd53932614

SHA512
1b135abec7c0e59b93b9e1faeda19f6740749f7a8d1e98a22b4d445b447c3e7397ba7acb79d7e2c46cf9bd9bc3c6b8bf0c27b4b02928c78d6fb69abe315d8acd

Download Submit
C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs
Filesize
290B

MD5
87e6836baaacc33acdb40c40e696de75

SHA1
d1d70b99c87d08ef846f94ee71d2be15c4d2db68

SHA256
dcc55cab258584c0883472fd3f2367513eb8cfc628af1e528dad082524851da6

SHA512
e8a09e72a94393a647135760e1a3e0c7e48d0f8b017f2ea16b0aa8160f5fd0c59aa6b41bb70f704c564d7876ffd3264a59c42fae8552cad87d9b3e3fa0f2fb79

Download Submit
C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat
Filesize
1KB

MD5
e7451c35f11a1c10871e96aebd6769db

SHA1
e8bf30b0b1ec97bc6a35e4b99e8f59841ef45295

SHA256
106e712c3838df66b0cb4b74afda49d336d2951038551e1ca63ca2b9bf539452

SHA512
84f47cd4ceb6e61f46e5195d1d18ce8878b80c226e91b4cbef8f15c7ebf1e351d37d6cf325faab00bd9a23e4dc740eaa10c4bc40605fb16e30e8127dc9306c23

Download Submit
\Program Files (x86)\Gorn\Gorn\crypt.exe
Filesize
108KB

MD5
91349b50e14b443e0a86292ef6d54dff

SHA1
f0e8fdb17a0ddd701428b8077a730ebafd079f7a

SHA256
f5e5d9d09fb00a01dfab46e09471ea978c16dd20fd464b3f4892cc483d3bdf81

SHA512
5483841299149f264befbad88d8fcfbb3f7b8b87b29f68746eb36c46873c7889d37634158452105af2c0cae3912798f1fce556161120925ae0679900d18c8009

Download Submit
\Program Files (x86)\Gorn\Gorn\crypt.exe
Filesize
108KB

MD5
91349b50e14b443e0a86292ef6d54dff

SHA1
f0e8fdb17a0ddd701428b8077a730ebafd079f7a

SHA256
f5e5d9d09fb00a01dfab46e09471ea978c16dd20fd464b3f4892cc483d3bdf81

SHA512
5483841299149f264befbad88d8fcfbb3f7b8b87b29f68746eb36c46873c7889d37634158452105af2c0cae3912798f1fce556161120925ae0679900d18c8009

Download Submit
memory/1068-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-94-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-92-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-90-0x00000000004012A0-mapping.dmp

Download
memory/1068-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-77-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-79-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-88-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-84-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1488-64-0x0000000000000000-mapping.dmp

Download
memory/1548-59-0x0000000000000000-mapping.dmp

Download
memory/1652-93-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-62-0x0000000000000000-mapping.dmp

Download
memory/1752-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000000000000-mapping.dmp

Download