Analysis
-
max time kernel
151s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-11-2022 08:34
General
-
Target
0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe
-
Size
305KB
-
MD5
ed5240ff636e3ace774d45e99f7582f6
-
SHA1
69dd8c6212f38ae2a945437bfcfcd4765ed5e9c5
-
SHA256
0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515
-
SHA512
1ab8540ae1b8b49bda0bfc5af1480798a5bd7d8f2e2900b7db26c8e255397147ac5eeeafe64b102600e19125cd3bd297595d477bceaa7e1cf39369aa742d935f
-
SSDEEP
6144:yZXBsWqsE/Ao+mv8Qv0LVmwq4FU0nN876saWhHzz0ZaZVNIU6dDCo:0XmwRo+mv8QD4+0N46l8HvNZb6dDCo
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Unexpected DNS network traffic destination 34 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe"C:\Users\Admin\AppData\Local\Temp\0540e6ed8fea68886d1ef7fda5b6c6b01a97b2a33f44faaac44885ae24dd9515.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Gorn\Gorn\prostoigra.bat" "2⤵
- Drops file in Drivers directory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbs"2⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\Gorn\Gorn\crypt.exe"C:\Program Files (x86)\Gorn\Gorn\crypt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Gorn\Gorn\crypt.exe"C:\Program Files (x86)\Gorn\Gorn\crypt.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbs"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Gorn\Gorn\1.txtFilesize
16B
MD53a26a67ff49cfa2b84e33228fdff96e2
SHA11f8920d5876bb24722239fccc326ab615eb8a9f6
SHA2564a024516bd3c52b19f238e652858c41e30ac917033a4ed6a09bc844870801ad9
SHA512b7010dd1d96b82103856f7658025fd565970e1c162ba7396eb1a7455db377e29544943ef13c6cb6b057d1b29f02d2d88e4919216f5df2e0e3ac96b02f5f96763
-
C:\Program Files (x86)\Gorn\Gorn\2.txtFilesize
27B
MD5213c0742081a9007c9093a01760f9f8c
SHA1df53bb518c732df777b5ce19fc7c02dcb2f9d81b
SHA2569681429a2b00c27fe6cb0453f255024813944a7cd460d18797e3c35e81c53d69
SHA51255182c2e353a0027f585535a537b9c309c3bf57f47da54a16e0c415ed6633b725bf40e40a664b1071575feeb7e589d775983516728ec3e51e87a0a29010c4eb9
-
C:\Program Files (x86)\Gorn\Gorn\crypt.exeFilesize
77KB
MD56098f2c7830161e01b3154c23bb65874
SHA164b4772d08e36dbf5aa985f7791685956d2c62bb
SHA256ed8ae284c66abd7ea44e87df4cf858f513b5c91d7ff10ff9545f7a6fae1a5515
SHA512773c09b842b202670cfca7043b103d2c175a0af093f258575a12fd74b533095ce24efa631c1a5286ecc60701047e35fb5a131ac18ec7e1053e5f6d449464c441
-
C:\Program Files (x86)\Gorn\Gorn\crypt.exeFilesize
77KB
MD56098f2c7830161e01b3154c23bb65874
SHA164b4772d08e36dbf5aa985f7791685956d2c62bb
SHA256ed8ae284c66abd7ea44e87df4cf858f513b5c91d7ff10ff9545f7a6fae1a5515
SHA512773c09b842b202670cfca7043b103d2c175a0af093f258575a12fd74b533095ce24efa631c1a5286ecc60701047e35fb5a131ac18ec7e1053e5f6d449464c441
-
C:\Program Files (x86)\Gorn\Gorn\crypt.exeFilesize
77KB
MD56098f2c7830161e01b3154c23bb65874
SHA164b4772d08e36dbf5aa985f7791685956d2c62bb
SHA256ed8ae284c66abd7ea44e87df4cf858f513b5c91d7ff10ff9545f7a6fae1a5515
SHA512773c09b842b202670cfca7043b103d2c175a0af093f258575a12fd74b533095ce24efa631c1a5286ecc60701047e35fb5a131ac18ec7e1053e5f6d449464c441
-
C:\Program Files (x86)\Gorn\Gorn\dns_bablo.vbsFilesize
812B
MD5f63d57c09b42f8f26cd0353a4b0fdea9
SHA139e3db748741a6fc3083f585dfabc6336aa11a23
SHA256c7e2773da0a4d5a00f0ea73c2a3e8e0582d13dde3ca7807bce0d65cc3a8b89d0
SHA512510a501a4a9b4d291a1a55fd5ef599f6e2928fef1d278007922d35bf95b20486d755e7e55c4718db3896fca256da1dfdac0f9d4b68e09b98b30c969383b376ca
-
C:\Program Files (x86)\Gorn\Gorn\neznoesvidanie.vbsFilesize
289B
MD5b4028478876dbca54cd8fff7ad49a22e
SHA19c2f9edc3d2a185d6f0d51eb37471474d1c169bb
SHA2568f8b51a63c6a52483ef03e22fc7a5401cfe35bdadbaee441010b8fb2ce152a69
SHA512a5133b94d7c9fed3c22fa8359a1e6354a2349bf4a9a1caf7565fc052f7918c085b05e1bff3dfaab0828799040a41de313a202229769f5499085e554c886c5de9
-
C:\Program Files (x86)\Gorn\Gorn\prostoigra.batFilesize
1KB
MD5f3b6175d286d3f19fd08a5270f48668c
SHA1c011d54416218259bdfebd34ac7643fb97e75ddc
SHA256db2c70987ad1b82e2dce59c60b53ff7e08b7b8729b9e463866eb18b6e431b68f
SHA5122ae8d45a24c0054b0bd0a66b3105830dc5b06ac4882b780682007e704895f3e6c00ca57e89054c76c38981cf59eaa078c457938f6d681088a6d13be6c9302d4e
-
C:\Users\Admin\AppData\Local\Temp\nss8E27.tmp\changers.dllFilesize
12KB
MD51e3e2f93d2a27ccca90c02eb85ce9efa
SHA14ac819b10c58ea8d018f27b2559fc92d92101257
SHA256d16abae5bbff20d6d9d6f4d95292c556a9470d11feb8710c34e38e8a932e1cf9
SHA51284795c14cbaaf1e276c74ce3cee42e94a4214eba38275b80dc867036d6efe9842cf29e9d6634039028c4281efd5a3a8c39fab67d19f527d50ab267c8df2fe45b
-
memory/612-137-0x0000000000000000-mapping.dmp
-
memory/2100-136-0x0000000000000000-mapping.dmp
-
memory/2988-141-0x0000000000000000-mapping.dmp
-
memory/3668-132-0x0000000000000000-mapping.dmp
-
memory/4228-144-0x0000000000000000-mapping.dmp
-
memory/4228-145-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4228-148-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/4228-149-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB