Analysis
-
max time kernel
245s -
max time network
337s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:34
Static task
static1
Behavioral task
behavioral1
Sample
0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe
Resource
win10v2004-20220812-en
General
-
Target
0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe
-
Size
305KB
-
MD5
ed5240ff636e3ace774d45e99f7582f6
-
SHA1
69dd8c6212f38ae2a945437bfcfcd4765ed5e9c5
-
SHA256
0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515
-
SHA512
1ab8540ae1b8b49bda0bfc5af1480798a5bd7d8f2e2900b7db26c8e255397147ac5eeeafe64b102600e19125cd3bd297595d477bceaa7e1cf39369aa742d935f
-
SSDEEP
6144:yZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876saWhHzz0ZaZVNIU6dDCo:0XmwRo+mv8QD4+0N46l8HvNZb6dDCo
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exeflow pid process 13 2000 WScript.exe 18 2000 WScript.exe -
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
crypt.execrypt.exepid process 804 crypt.exe 1276 crypt.exe -
Loads dropped DLL 2 IoCs
Processes:
0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.execrypt.exepid process 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe 804 crypt.exe -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 108.61.170.207 -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Gorn = "C:\\Program Files (x86)\\Gorn\\Gorn\\crypt.exe" 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
crypt.exedescription pid process target process PID 804 set thread context of 1276 804 crypt.exe crypt.exe -
Drops file in Program Files directory 8 IoCs
Processes:
0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exedescription ioc process File opened for modification C:\Program Files (x86)\Gorn\Gorn\crypt.exe 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe File opened for modification C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe File opened for modification C:\Program Files (x86)\Gorn\Gorn\Uninstall.exe 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe File created C:\Program Files (x86)\Gorn\Gorn\Uninstall.ini 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe File opened for modification C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe File opened for modification C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe File opened for modification C:\Program Files (x86)\Gorn\Gorn\2.txt 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe File opened for modification C:\Program Files (x86)\Gorn\Gorn\1.txt 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule \Program Files (x86)\Gorn\Gorn\crypt.exe nsis_installer_1 \Program Files (x86)\Gorn\Gorn\crypt.exe nsis_installer_2 C:\Program Files (x86)\Gorn\Gorn\crypt.exe nsis_installer_1 C:\Program Files (x86)\Gorn\Gorn\crypt.exe nsis_installer_2 C:\Program Files (x86)\Gorn\Gorn\crypt.exe nsis_installer_1 C:\Program Files (x86)\Gorn\Gorn\crypt.exe nsis_installer_2 C:\Program Files (x86)\Gorn\Gorn\crypt.exe nsis_installer_1 C:\Program Files (x86)\Gorn\Gorn\crypt.exe nsis_installer_2 -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.execrypt.exedescription pid process target process PID 1884 wrote to memory of 1468 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe cmd.exe PID 1884 wrote to memory of 1468 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe cmd.exe PID 1884 wrote to memory of 1468 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe cmd.exe PID 1884 wrote to memory of 1468 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe cmd.exe PID 1884 wrote to memory of 2000 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe WScript.exe PID 1884 wrote to memory of 2000 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe WScript.exe PID 1884 wrote to memory of 2000 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe WScript.exe PID 1884 wrote to memory of 2000 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe WScript.exe PID 1884 wrote to memory of 804 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe crypt.exe PID 1884 wrote to memory of 804 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe crypt.exe PID 1884 wrote to memory of 804 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe crypt.exe PID 1884 wrote to memory of 804 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe crypt.exe PID 1884 wrote to memory of 1976 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe WScript.exe PID 1884 wrote to memory of 1976 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe WScript.exe PID 1884 wrote to memory of 1976 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe WScript.exe PID 1884 wrote to memory of 1976 1884 0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe WScript.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe PID 804 wrote to memory of 1276 804 crypt.exe crypt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe"C:\Users\Admin\AppData\Local\Temp\0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat" "2⤵
- Drops file in Drivers directory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs"2⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\Gorn\Gorn\crypt.exe"C:\Program Files (x86)\Gorn\Gorn\crypt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Gorn\Gorn\crypt.exe"C:\Program Files (x86)\Gorn\Gorn\crypt.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Gorn\Gorn\1.txtFilesize
16B
MD53a26a67ff49cfa2b84e33228fdff96e2
SHA11f8920d5876bb24722239fccc326ab615eb8a9f6
SHA2564a024516bd3c52b19f238e652858c41e30ac917033a4ed6a09bc844870801ad9
SHA512b7010dd1d96b82103856f7658025fd565970e1c162ba7396eb1a7455db377e29544943ef13c6cb6b057d1b29f02d2d88e4919216f5df2e0e3ac96b02f5f96763
-
C:\Program Files (x86)\Gorn\Gorn\2.txtFilesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
C:\Program Files (x86)\Gorn\Gorn\crypt.exeFilesize
77KB
MD56098f2c7830161e01b3154c23bb65874
SHA164b4772d08e36dbf5aa985f7791685956d2c62bb
SHA256ed8ae284c66abd7ea44e87df4cf858f513b5c91d7ff10ff9545f7a6fae1a5515
SHA512773c09b842b202670cfca7043b103d2c175a0af093f258575a12fd74b533095ce24efa631c1a5286ecc60701047e35fb5a131ac18ec7e1053e5f6d449464c441
-
C:\Program Files (x86)\Gorn\Gorn\crypt.exeFilesize
77KB
MD56098f2c7830161e01b3154c23bb65874
SHA164b4772d08e36dbf5aa985f7791685956d2c62bb
SHA256ed8ae284c66abd7ea44e87df4cf858f513b5c91d7ff10ff9545f7a6fae1a5515
SHA512773c09b842b202670cfca7043b103d2c175a0af093f258575a12fd74b533095ce24efa631c1a5286ecc60701047e35fb5a131ac18ec7e1053e5f6d449464c441
-
C:\Program Files (x86)\Gorn\Gorn\crypt.exeFilesize
77KB
MD56098f2c7830161e01b3154c23bb65874
SHA164b4772d08e36dbf5aa985f7791685956d2c62bb
SHA256ed8ae284c66abd7ea44e87df4cf858f513b5c91d7ff10ff9545f7a6fae1a5515
SHA512773c09b842b202670cfca7043b103d2c175a0af093f258575a12fd74b533095ce24efa631c1a5286ecc60701047e35fb5a131ac18ec7e1053e5f6d449464c441
-
C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbsFilesize
812B
MD5f63d57c09b42f8f26cd0353a4b0fdea9
SHA139e3db748741a6fc3083f585dfabc6336aa11a23
SHA256c7e2773da0a4d5a00f0ea73c2a3e8e0582d13dde3ca7807bce0d65cc3a8b89d0
SHA512510a501a4a9b4d291a1a55fd5ef599f6e2928fef1d278007922d35bf95b20486d755e7e55c4718db3896fca256da1dfdac0f9d4b68e09b98b30c969383b376ca
-
C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbsFilesize
289B
MD5b4028478876dbca54cd8fff7ad49a22e
SHA19c2f9edc3d2a185d6f0d51eb37471474d1c169bb
SHA2568f8b51a63c6a52483ef03e22fc7a5401cfe35bdadbaee441010b8fb2ce152a69
SHA512a5133b94d7c9fed3c22fa8359a1e6354a2349bf4a9a1caf7565fc052f7918c085b05e1bff3dfaab0828799040a41de313a202229769f5499085e554c886c5de9
-
C:\Program Files (x86)\Gorn\Gorn\prostoigra.batFilesize
1KB
MD5f3b6175d286d3f19fd08a5270f48668c
SHA1c011d54416218259bdfebd34ac7643fb97e75ddc
SHA256db2c70987ad1b82e2dce59c60b53ff7e08b7b8729b9e463866eb18b6e431b68f
SHA5122ae8d45a24c0054b0bd0a66b3105830dc5b06ac4882b780682007e704895f3e6c00ca57e89054c76c38981cf59eaa078c457938f6d681088a6d13be6c9302d4e
-
\Program Files (x86)\Gorn\Gorn\crypt.exeFilesize
77KB
MD56098f2c7830161e01b3154c23bb65874
SHA164b4772d08e36dbf5aa985f7791685956d2c62bb
SHA256ed8ae284c66abd7ea44e87df4cf858f513b5c91d7ff10ff9545f7a6fae1a5515
SHA512773c09b842b202670cfca7043b103d2c175a0af093f258575a12fd74b533095ce24efa631c1a5286ecc60701047e35fb5a131ac18ec7e1053e5f6d449464c441
-
\Users\Admin\AppData\Local\Temp\nsfF402.tmp\changers.dllFilesize
12KB
MD51e3e2f93d2a27ccca90c02eb85ce9efa
SHA14ac819b10c58ea8d018f27b2559fc92d92101257
SHA256d16abae5bbff20d6d9d6f4d95292c556a9470d11feb8710c34e38e8a932e1cf9
SHA51284795c14cbaaf1e276c74ce3cee42e94a4214eba38275b80dc867036d6efe9842cf29e9d6634039028c4281efd5a3a8c39fab67d19f527d50ab267c8df2fe45b
-
memory/804-61-0x0000000000000000-mapping.dmp
-
memory/1276-71-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-79-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-87-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-86-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-72-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-74-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-76-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-77-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-78-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-85-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-80-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-81-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1276-82-0x00000000004012A0-mapping.dmp
-
memory/1468-55-0x0000000000000000-mapping.dmp
-
memory/1884-54-0x00000000763D1000-0x00000000763D3000-memory.dmpFilesize
8KB
-
memory/1976-67-0x0000000000000000-mapping.dmp
-
memory/2000-59-0x0000000000000000-mapping.dmp