Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 10:29
Static task
static1
Behavioral task
behavioral1
Sample
GJecwa34.cpl.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
GJecwa34.cpl.exe
Resource
win10v2004-20240802-en
General
-
Target
GJecwa34.cpl.exe
-
Size
873KB
-
MD5
5b2ac6ed9b0830ec7f1c9eb7deb38c66
-
SHA1
0f1011748dfff6a0d0f0c0b9b8bc045da54080a6
-
SHA256
92ac711db16da541e06c5195050f6fbd8915255c79ded58f70ba030d37135ceb
-
SHA512
d1509fbdf410c943b2df1f05f1ece680dbd45b6090b43985707f6ebccf940cf4d384a235838d75df8f72b688c41fbfc0ef41347dee869de2d7e3dd5aa1da68f8
-
SSDEEP
24576:QLVxajaoPDR60nXKJxrYUrG/fNfhgsqYREh3TR:Q/b3MNJgsqYRed
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt GJecwa34.cpl.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Decryptfiles.txt GJecwa34.cpl.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\GJecwa34.cpl.exe" GJecwa34.cpl.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini GJecwa34.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini GJecwa34.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini GJecwa34.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini GJecwa34.cpl.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GJecwa34.cpl.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 6560 cmd.exe 6692 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6692 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3168 GJecwa34.cpl.exe 3168 GJecwa34.cpl.exe 3168 GJecwa34.cpl.exe 3168 GJecwa34.cpl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3168 GJecwa34.cpl.exe Token: SeDebugPrivilege 3168 GJecwa34.cpl.exe Token: SeDebugPrivilege 3168 GJecwa34.cpl.exe Token: SeIncreaseQuotaPrivilege 5140 wmic.exe Token: SeSecurityPrivilege 5140 wmic.exe Token: SeTakeOwnershipPrivilege 5140 wmic.exe Token: SeLoadDriverPrivilege 5140 wmic.exe Token: SeSystemProfilePrivilege 5140 wmic.exe Token: SeSystemtimePrivilege 5140 wmic.exe Token: SeProfSingleProcessPrivilege 5140 wmic.exe Token: SeIncBasePriorityPrivilege 5140 wmic.exe Token: SeCreatePagefilePrivilege 5140 wmic.exe Token: SeBackupPrivilege 5140 wmic.exe Token: SeRestorePrivilege 5140 wmic.exe Token: SeShutdownPrivilege 5140 wmic.exe Token: SeDebugPrivilege 5140 wmic.exe Token: SeSystemEnvironmentPrivilege 5140 wmic.exe Token: SeRemoteShutdownPrivilege 5140 wmic.exe Token: SeUndockPrivilege 5140 wmic.exe Token: SeManageVolumePrivilege 5140 wmic.exe Token: 33 5140 wmic.exe Token: 34 5140 wmic.exe Token: 35 5140 wmic.exe Token: 36 5140 wmic.exe Token: SeIncreaseQuotaPrivilege 5140 wmic.exe Token: SeSecurityPrivilege 5140 wmic.exe Token: SeTakeOwnershipPrivilege 5140 wmic.exe Token: SeLoadDriverPrivilege 5140 wmic.exe Token: SeSystemProfilePrivilege 5140 wmic.exe Token: SeSystemtimePrivilege 5140 wmic.exe Token: SeProfSingleProcessPrivilege 5140 wmic.exe Token: SeIncBasePriorityPrivilege 5140 wmic.exe Token: SeCreatePagefilePrivilege 5140 wmic.exe Token: SeBackupPrivilege 5140 wmic.exe Token: SeRestorePrivilege 5140 wmic.exe Token: SeShutdownPrivilege 5140 wmic.exe Token: SeDebugPrivilege 5140 wmic.exe Token: SeSystemEnvironmentPrivilege 5140 wmic.exe Token: SeRemoteShutdownPrivilege 5140 wmic.exe Token: SeUndockPrivilege 5140 wmic.exe Token: SeManageVolumePrivilege 5140 wmic.exe Token: 33 5140 wmic.exe Token: 34 5140 wmic.exe Token: 35 5140 wmic.exe Token: 36 5140 wmic.exe Token: SeIncreaseQuotaPrivilege 6440 wmic.exe Token: SeSecurityPrivilege 6440 wmic.exe Token: SeTakeOwnershipPrivilege 6440 wmic.exe Token: SeLoadDriverPrivilege 6440 wmic.exe Token: SeSystemProfilePrivilege 6440 wmic.exe Token: SeSystemtimePrivilege 6440 wmic.exe Token: SeProfSingleProcessPrivilege 6440 wmic.exe Token: SeIncBasePriorityPrivilege 6440 wmic.exe Token: SeCreatePagefilePrivilege 6440 wmic.exe Token: SeBackupPrivilege 6440 wmic.exe Token: SeRestorePrivilege 6440 wmic.exe Token: SeShutdownPrivilege 6440 wmic.exe Token: SeDebugPrivilege 6440 wmic.exe Token: SeSystemEnvironmentPrivilege 6440 wmic.exe Token: SeRemoteShutdownPrivilege 6440 wmic.exe Token: SeUndockPrivilege 6440 wmic.exe Token: SeManageVolumePrivilege 6440 wmic.exe Token: 33 6440 wmic.exe Token: 34 6440 wmic.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 3168 wrote to memory of 5140 3168 GJecwa34.cpl.exe 82 PID 3168 wrote to memory of 5140 3168 GJecwa34.cpl.exe 82 PID 3168 wrote to memory of 6440 3168 GJecwa34.cpl.exe 85 PID 3168 wrote to memory of 6440 3168 GJecwa34.cpl.exe 85 PID 3168 wrote to memory of 6560 3168 GJecwa34.cpl.exe 86 PID 3168 wrote to memory of 6560 3168 GJecwa34.cpl.exe 86 PID 3168 wrote to memory of 6560 3168 GJecwa34.cpl.exe 86 PID 6560 wrote to memory of 6692 6560 cmd.exe 89 PID 6560 wrote to memory of 6692 6560 cmd.exe 89 PID 6560 wrote to memory of 6692 6560 cmd.exe 89 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe"C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\Windows\system32\wbem\wmic.exec:\WYgCGu\WYgC\..\..\Windows\WYgC\WYgC\..\..\system32\WYgC\WYgC\..\..\wbem\WYgC\WYgCG\..\..\wmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5140
-
-
\??\c:\Windows\system32\wbem\wmic.exec:\NmbLeQ\NmbL\..\..\Windows\NmbL\NmbL\..\..\system32\NmbL\NmbL\..\..\wbem\NmbL\NmbLe\..\..\wmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6440
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:6560 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6692
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:6716
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5dc5b3c6b7cc3a2665301659223b54f9c
SHA13e94cc263b721fc82a54d1dc99a266b50694ca8c
SHA256ae5f6123c2282e79eb2e73396459b9037c79b1d415b298aa743d18c69ce7dadf
SHA512acfdcc2786f15669a2e9ec25e5585bcab24ca82bf0287ab3d2f27a0d7e4418fa8b07568db45640b67554c6dcb0f6d448669d2abf395294b6101448a4307d6513