Overview

overview

10

Static

static

3

GJecwa34.cpl.exe

windows7-x64

10

GJecwa34.cpl.exe

windows10-2004-x64

10

Resubmissions

25-09-2024 14:01

240925-rb2vcsygnl 10

25-09-2024 10:29

240925-mh8t2azgnl 10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GJecwa34.cpl.exe

  • Size

    873KB

  • MD5

    5b2ac6ed9b0830ec7f1c9eb7deb38c66

  • SHA1

    0f1011748dfff6a0d0f0c0b9b8bc045da54080a6

  • SHA256

    92ac711db16da541e06c5195050f6fbd8915255c79ded58f70ba030d37135ceb

  • SHA512

    d1509fbdf410c943b2df1f05f1ece680dbd45b6090b43985707f6ebccf940cf4d384a235838d75df8f72b688c41fbfc0ef41347dee869de2d7e3dd5aa1da68f8

  • SSDEEP

    24576:QLVxajaoPDR60nXKJxrYUrG/fNfhgsqYREh3TR:Q/b3MNJgsqYRed

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] Attach this file in the email. ID :95FAF0888327EF5BB15492C2A2246410F70549A466625944A2CEA8AB0F918F38DF22644F4631DEC868E1D2871717564B82297ED812122F722D739D51402506238F4D821EF9614CA02D37C37D42E3ABFD4B005F9A51550C627B3FC2B2767B39564C31EB5D090FC973D6A3E4D7339F8AAB75A517A98794BCC9A6762B84C9134DD528422A582BC7627CA5CC59B48059F58A3A9627908E460C133BFA95DA881A8EA19B971C6AA6EF2E9EE24F2AFE8093831AE5B0B0ECC769A9CD6F883819ED007D98C826AB53060C35BD45A80CDB63DBBD1F439411CE7CC59ED24CEEE63D392999D0AE93B191B8944D5C13252771AFC74AC091136353ED41047641A1FA1D7C9F90F32249EA2D9F64BDB7791E0A2E25006E7B0DF4D4CC4F7B0ACA81F0894188206ECD70DB362FB01D6E22ADDCFB9FA2AD1CB990ED1654239C8837510FD4F301716D9C14A30B7A6AEFB75B0BD3089DEE698E1826D208BD22D436EA852E02317DEEEFE6735869553F8ED7EAD28BA782CA14D9FC4879EB9DCCCA248D43FD8432D58109C41719C6C5D297C5BDBAD8E2AB2DC6AC4A522E2685E8A7F4F9EDFB05684B7F8746819F7F13C0AD3C7830421C6806A8DFAEB33F09BCBBE3B78EE82739BA6696F3CC660BE678CD00A57038E53227647DF7CABF7335A49A34C8AF0236921880EFFD3216E3E1001ABE4664DDB7291ADDAD891C9F760EEE34EFBAB4F22D70B1F1E7EF3D3A84B97131E1E32FD37860B2DD334E086F81A629F2762C9BDDF710A65346C8E4BED15E0C895D346AC2EB1BC33982741359C5C79FD067D884D813EEB7CEDD873187075DBFA679CF1E9D4DCF3BA1B2F685805420047C2D7CE9E77E7356AF46E5FA32FC8DA2B924B9C2F784DF9D235C7FE9758842649FA2109CB2648CFD00C3A390D078B5E3D74AA3FE093B077ABD063F87D44020E4449BA30AF42E4023DD86A7F36AEBE2F6A955BBF938B891F9869968F3E2DA9DF999AF740380E507FE70742D08E9C5D030F63C39927205F639165D18C5E7319E79B80189EDB8136EC282C963B26B6088C6DF241CC9565F4A3557CAB6A673CD91924444465D34BD5F4DD245AF72C0CF84261B7E45548623365593D7EDD5731451B172668BDBE3B9ECA8B934F05F9E2A7EE0285A2549EB7162B9B49EC071BA8CD77EC479F944D067140DF6AA399AA38FCA3AA61E58D9364C3D1248B63AF489A3A504B62D3CC0269EFFF369D6CB999ED34F8F594C018EDCF8E1916A8FAD7D764382A048BDB9AF09007DE6F70C4C3B39BCA19858C746F7E29EE822304678998C1931FF45CE88A47CA1286E3848349DE71F35131AD411B7BD109A985576D94B2A162D04601ACF3C3AF10155E45AC1115942123814D79E42D50DE62AAFF8F4584284C60C11F1C5EEBE82659525EA5EDF0B292AC60DEB9EB3EC4574E2233BFE4CF3443A9FF3ECB4814B3A6C867A9950F0FAEF8A9E4E9EEA3D3FAF64526E7412D291A125B71DC8F134E5EB5F86E598AB5535D91FC7359C9056B3288DF9E6C7699AB7465ABCE62D6419BC7C4D5D1BD3F28F3927BDE50DFF486AF07E5E0199758B8E7595AD084B2A8FD4ECBA2006E8F50330D2D49AFCC59148AE36042152CDC952BF1A25EDE11B2FDCAABDCBD5D50A28A41D6C4067B0595403E5FCF11BBAA33A8F65525A5A7D424F1126A6CB6D8E960DF3A41E7F5238FC2225E2B685D016AF0EC17F373AFB67AA1BF7096208850EEE369D084D11D6CFD55F50D55BC0376ACD2D755AD0CA557B078F96B6CF85AB529F60C3128D9502C497E1E66B8B3412CCDAFC7A9ACD42B572C0286CC733E46ED4059BCDFA96A72D44EFDBF6F52D78C013DA3A58017F6504DF5C8DDFF3DAD38FA23DD57A83E78B58FC8A6A75F4C579FC759A11885DD70BE029C7894EF5A6D23B31C1B8B55A8C146309ED24A41968AF18E3F5496307C73F3E08F829DA11879A50CD81AE0BB41303BA4E73B7536071F7D8629DCA7DC8466FBED82A3D33E2AD6582D8FE706BB1B5E283219923C283BCC00F44EC5792A01FA5B1A8AE400F0BB525AAA16E32F3B69389DCE536A155D4E61C957239BE84DB0DB7C1FF6FBA33AE9E1E8C157D728108A046B0493315324621D89290247D5E7C74589AEDCE66B31D54FC6AEA8E73FB1798CCCEFA37D23EBD3E31F62E0E5E285D5C89BB4A1119D3F54354251CC956268828FE1D6F2FFA4FC4B934CDFD0F829B5E6BAF0767DFA1183D5C69C90561D5DF2D0745BBE5D5AECB5FA7048BF41940EB7F9151E67A62138092B96EC62D16F12A9487035562357559DE48C9B7A75C1B7900030AAA3A6647603B4E384200A4431D50A2DB1F03D47181FC65FC45034CF6E4C8B25A2BAAABCFDE4DCE6D0FB898840298A9D1411848AC76E73DA69B

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 10 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe
    "C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1332
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\DiKFMT\DiKF\..\..\Windows\DiKF\DiKF\..\..\system32\DiKF\DiKF\..\..\wbem\DiKF\DiKFM\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\fnirKI\fnir\..\..\Windows\fnir\fnir\..\..\system32\fnir\fnir\..\..\wbem\fnir\fnirK\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:276
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1660
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2144

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    1
    T1112

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Remote System Discovery

    1
    T1018

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Inhibit System Recovery

    1
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt
      Filesize

      4KB

      MD5

      ed56d7fc881b9e6438a8c91cd4b1542f

      SHA1

      f067ee897352106349522da7adf5e44bce07c427

      SHA256

      b9985940a87f21deed1a494cf94488b7ef606c1bec5c9d1b10b5710edc9af600

      SHA512

      e2ae7badaf2565d3ae77820be71b1c3b0178676d108c298dcd7adf2314f18d73f8411bb239f22f855883c64efb5e4ca08a3b9c67df3fc34297fd9c636e37be56

      Download Submit