e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602

General

Target

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
Size

327KB
MD5

eec5f79884c6428a2b0a1c21ef03d985
SHA1

b6de2903e1dda4a2111498bd0cfd47a42ad713fd
SHA256

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602
SHA512

a3dd23147dc17d531ca04b587286525217ec39698c519416766e9e7f162ee4c6248965470d064a2f2c727f15cf0897dd067fa5c290d64b13f3eadacb35b97611
SSDEEP

6144:yZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876saCQBMI14Aucx6qZuYw3e:0XmwRo+mv8QD4+0N46lCYD4ox6qu3e

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exe

flow pid process

37 2172 WScript.exe
37 2172 WScript.exe
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe
Executes dropped EXE 2 IoCs

Processes:

crypt.execrypt.exe

pid process

1304 crypt.exe
1652 crypt.exe

flow	pid	process
37	2172	WScript.exe
37	2172	WScript.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

pid	process
1304	crypt.exe
1652	crypt.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 107.161.146.116
Destination IP 107.161.146.116
Destination IP 107.161.146.116

description	ioc
Destination IP	107.161.146.116
Destination IP	107.161.146.116
Destination IP	107.161.146.116

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Gorn = "C:\\Program Files (x86)\\Gorn\\Gorn\\crypt.exe"	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

crypt.exe

description pid process target process

PID 1304 set thread context of 1652 1304 crypt.exe crypt.exe

description	pid	process	target process
PID 1304 set thread context of 1652	1304	crypt.exe	crypt.exe

Drops file in Program Files directory 8 IoCs

Processes:

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\Uninstall.exe	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File created	C:\Program Files (x86)\Gorn\Gorn\Uninstall.ini	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\2.txt	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\1.txt	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
File opened for modification	C:\Program Files (x86)\Gorn\Gorn\crypt.exe	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.execrypt.exe

description	pid	process	target process
PID 4688 wrote to memory of 1384	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	cmd.exe
PID 4688 wrote to memory of 1384	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	cmd.exe
PID 4688 wrote to memory of 1384	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	cmd.exe
PID 4688 wrote to memory of 2172	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 4688 wrote to memory of 2172	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 4688 wrote to memory of 2172	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 4688 wrote to memory of 1304	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	crypt.exe
PID 4688 wrote to memory of 1304	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	crypt.exe
PID 4688 wrote to memory of 1304	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	crypt.exe
PID 4688 wrote to memory of 3140	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 4688 wrote to memory of 3140	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 4688 wrote to memory of 3140	4688	e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe	WScript.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe
PID 1304 wrote to memory of 1652	1304	crypt.exe	crypt.exe

C:\Users\Admin\AppData\Local\Temp\e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe
"C:\Users\Admin\AppData\Local\Temp\e01eb5702ed74312018fa8d2421e6cb8aa9eedf6e0032bd9705f3741a0886602.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat" "
  2⤵
  - Drops file in Drivers directory
  PID:1384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs"
  2⤵
  - Blocklisted process makes network request
  PID:2172
- C:\Program Files (x86)\Gorn\Gorn\crypt.exe
  "C:\Program Files (x86)\Gorn\Gorn\crypt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Program Files (x86)\Gorn\Gorn\crypt.exe
    "C:\Program Files (x86)\Gorn\Gorn\crypt.exe"
    3⤵
    - Executes dropped EXE
    PID:1652
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs"
  2⤵
  PID:3140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gorn\Gorn\1.txt

Filesize
17B

MD5
81c14b0fa2b8ae66463f1ceff75af5d8

SHA1
21d1040445561ff44c3cacd95214cce1ad1fb2f1

SHA256
b70f45bebbe7f01bc43a4079005f1ea98c74ce573f8b26a6d89e66a820453c02

SHA512
90ea8d86898f703706f6111ad773a72eabd4a7f8b370a49c42f8ecf757b4de8bce27e272bbc67750a2b4f1887ced59a84e39690e133f0eea1a6b8d8a17e79f51

Download Submit
C:\Program Files (x86)\Gorn\Gorn\2.txt

Filesize
27B

MD5
213c0742081a9007c9093a01760f9f8c

SHA1
df53bb518c732df777b5ce19fc7c02dcb2f9d81b

SHA256
9681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69

SHA512
55182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9

Download Submit
C:\Program Files (x86)\Gorn\Gorn\crypt.exe

Filesize
108KB

MD5
91349b50e14b443e0a86292ef6d54dff

SHA1
f0e8fdb17a0ddd701428b8077a730ebafd079f7a

SHA256
f5e5d9d09fb00a01dfab46e09471ea978c16dd20fd464b3f4892cc483d3bdf81

SHA512
5483841299149f264befbad88d8fcfbb3f7b8b87b29f68746eb36c46873c7889d37634158452105af2c0cae3912798f1fce556161120925ae0679900d18c8009

Download Submit
C:\Program Files (x86)\Gorn\Gorn\crypt.exe

Filesize
108KB

MD5
91349b50e14b443e0a86292ef6d54dff

SHA1
f0e8fdb17a0ddd701428b8077a730ebafd079f7a

SHA256
f5e5d9d09fb00a01dfab46e09471ea978c16dd20fd464b3f4892cc483d3bdf81

SHA512
5483841299149f264befbad88d8fcfbb3f7b8b87b29f68746eb36c46873c7889d37634158452105af2c0cae3912798f1fce556161120925ae0679900d18c8009

Download Submit
C:\Program Files (x86)\Gorn\Gorn\crypt.exe

Filesize
108KB

MD5
91349b50e14b443e0a86292ef6d54dff

SHA1
f0e8fdb17a0ddd701428b8077a730ebafd079f7a

SHA256
f5e5d9d09fb00a01dfab46e09471ea978c16dd20fd464b3f4892cc483d3bdf81

SHA512
5483841299149f264befbad88d8fcfbb3f7b8b87b29f68746eb36c46873c7889d37634158452105af2c0cae3912798f1fce556161120925ae0679900d18c8009

Download Submit
C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs

Filesize
819B

MD5
51aba170aa19f12bb7744f19d4b70bf6

SHA1
267a1a94e146c5e344d3cdb880987209cb657775

SHA256
e7967af5ad06fbc5b8a7be17f9195bbff9aa6941ded752f424dbbecd53932614

SHA512
1b135abec7c0e59b93b9e1faeda19f6740749f7a8d1e98a22b4d445b447c3e7397ba7acb79d7e2c46cf9bd9bc3c6b8bf0c27b4b02928c78d6fb69abe315d8acd

Download Submit
C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs

Filesize
290B

MD5
87e6836baaacc33acdb40c40e696de75

SHA1
d1d70b99c87d08ef846f94ee71d2be15c4d2db68

SHA256
dcc55cab258584c0883472fd3f2367513eb8cfc628af1e528dad082524851da6

SHA512
e8a09e72a94393a647135760e1a3e0c7e48d0f8b017f2ea16b0aa8160f5fd0c59aa6b41bb70f704c564d7876ffd3264a59c42fae8552cad87d9b3e3fa0f2fb79

Download Submit
C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat

Filesize
1KB

MD5
e7451c35f11a1c10871e96aebd6769db

SHA1
e8bf30b0b1ec97bc6a35e4b99e8f59841ef45295

SHA256
106e712c3838df66b0cb4b74afda49d336d2951038551e1ca63ca2b9bf539452

SHA512
84f47cd4ceb6e61f46e5195d1d18ce8878b80c226e91b4cbef8f15c7ebf1e351d37d6cf325faab00bd9a23e4dc740eaa10c4bc40605fb16e30e8127dc9306c23

Download Submit
memory/1304-156-0x0000000073970000-0x0000000073F21000-memory.dmp

Filesize
5.7MB

Download
memory/1304-137-0x0000000000000000-mapping.dmp

Download
memory/1304-143-0x0000000073970000-0x0000000073F21000-memory.dmp

Filesize
5.7MB

Download
memory/1384-132-0x0000000000000000-mapping.dmp

Download
memory/1652-144-0x0000000000000000-mapping.dmp

Download
memory/1652-145-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-146-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-147-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-148-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-150-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-151-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-152-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-155-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-157-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2172-136-0x0000000000000000-mapping.dmp

Download
memory/3140-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads