Overview

overview

10

Static

static

3

GJecwa34.cpl.exe

windows7-x64

10

GJecwa34.cpl.exe

windows10-2004-x64

10

Resubmissions

25/09/2024, 14:01

240925-rb2vcsygnl 10

25/09/2024, 10:29

240925-mh8t2azgnl 10

Analysis

  • max time kernel
    46s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GJecwa34.cpl.exe

  • Size

    873KB

  • MD5

    5b2ac6ed9b0830ec7f1c9eb7deb38c66

  • SHA1

    0f1011748dfff6a0d0f0c0b9b8bc045da54080a6

  • SHA256

    92ac711db16da541e06c5195050f6fbd8915255c79ded58f70ba030d37135ceb

  • SHA512

    d1509fbdf410c943b2df1f05f1ece680dbd45b6090b43985707f6ebccf940cf4d384a235838d75df8f72b688c41fbfc0ef41347dee869de2d7e3dd5aa1da68f8

  • SSDEEP

    24576:QLVxajaoPDR60nXKJxrYUrG/fNfhgsqYREh3TR:Q/b3MNJgsqYRed

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] Attach this file in the email. ID :F025D0B68217F6F9126546EB36B0286C6BE4E717959881152644CA4AF49BE933E00634B2A3FBC7B62E23456AF56A66AC0CD527FF5D76DD025B7D77E612BD3E545A7D9DCE16958DF3E7E1D3D6A71A6AFEC59D49A1D7877D5D27F4676EF731B3BE955DF1840847527F1BB2F44F9C74374FA6C103022E797864D134F534F407826A4C49AAFAC82788F03C43910E18BB6E2F15A59A83075C49B562FB918C25C9C6A066FCD396DEEDDC3705727F85B565730C108AA02236709EE13F5A39AB90AFBDBDD31E9F632AC90EF08C136B27CF3D07F5E912FDE8E9BCD8D7C4F66EFEF753EC78A1645F152B31F4C68E6063E3414F4DDFDBFCCF868143D07C400DEA95709649241C30AD3CC0D38D23F25F85D8F194074D546E8EFE63A84622F7B0CDC26D7536F77449DAFF1AE6600C4010E025F031FFB06B0AD6140EAEF0DCC043E8489C8B134B22DF5FDE399E0BB64E36B15B18BA77143B2AF4E8AB4C2316E94478B6184F6BC331D9A361C7DD0CFD084792B86D8B94FCD31FC81B23EE1DC9E790658024D11F9AB7187E4CE51D0C63CD171F26ECEDF6EE5E61C699C848DAA7BBFBC2B5D9272905F58DA2B04E582EE3645BE6763E88E5698FCA3BD3C01C75814BD059A32D2172A6F380ACCC2C1DA29EEEE05C6B91E4092C42D7B781BA192CFD33D10C3602E4B80F54854427D4EAEED4631A08E54D19661236184C1B11515023708B105D16318826375F5CE246333223EC040BE2F274F9A5471E1E1B7D545C0DD58533832FC7A06F72FAAA6C86D54F676863137FDF2ECEA79A55AADAB993592DDEBEF527A27233D6D4CAEAA76362F465B989F1DB69F8992CE1BA69DF266EB4F5F154C5CF9D982E0CEC15D8D61E1B9C543B1648EBB8F0D768A937A696EE0DD9C29B8C69112BD584435CA0100DE08D58F139800EE7B669DD9D2CB52B31F94C6AE004AC54FC17003E762012FA8D3848011232A02F6B420FA01D07C8E98DC9C1FA6EAA04685DE6BA48F1D98FAA29B7155F4FE9DEFAA82D5452C34B36B248C6C673D18E0B875523DF6FF1BC8B70D1A52F8DB4AF36C8FF8E19FAEA6DD1BC4F299BB1D8CB95C25A9F38BAF62ECE4C82D7D173ED8687A14E4A1ACC7C8A5C7455872AFCD4D0A873AC3F37B7A872F5FE98D48AA43063709125CCEA6E73F86D11803008409344B8F1A441866458F64714EE9B634778D0876B6E142E97E6EF16F3EEAD6CC26816D83D464D4817A6377014FD505B2195BF07C990CA8EC3B012E4D4C5E63998587930B7ABA8E2C38FDCDB1BA497A925FCA03617A0F0854E3E7525DD3DDCC9525CC71DD54F9840065FC63EEFD8FED1BBDAE95B1DEF1333C6F6C86066C7BD59D01BC2272EA866512B959CF540DB646A5ADBA554E20C4BD754845A382C0F49E0AA831B1A83B87BEE8FA2004D6FEFA38BF35FF45C764B1C4A8DFEDA11CD17219CFAA806D743131C0FAC0A10CC670E78E7704B25DA3062ED5140ECA87DE547165A8A80170B9C38111762B42AA8115035EEC354C03B278EAB110F049F32CBC55F1B34106D106DC8E72C039D3EBF9246FF53D22831540058ABF7BF9DA34178A440937E01346D38AEEAC055ED77053CC4760FD0E98DE4C89653A0DF2F1805E4257E80516D3F315D0754F9F68F2390DDA628448AC4A9417BD5B6E5FFD22E63C257E8DE4E4063DAA895866BA0F516818BBE59C7D51C64E56957BF5806D741EFC72C794D39BEB00DFED3CC4EFA2B27E92D4BC4CC956AC9CAF8EAD1F7A277B87B0F7D0D9FDC091682CDA85C96DE02DF02C543368820950C9216D7C1AAAEE4E6BEE631800B4C7DBA57679DDE55266F1F9DE42F8FEA150387386C80FD13F5DD56943ECEA52F83A587D151D849EECD314075065ED0C72407BE773D2FA38CAC56DC14F4F5FDF08C48F1CABA3B9D260DDF2D5307B02E50EA6F73C1FE2F0DDE78D684E9EF2FB3098EAE2EA81FB753703790A455D77F5B911744F5DF4C5584FD4476088155F56B2F9B164F092375C91D134E2F1E38F68F3DC63BB78647F211C2277A03D2DE55F3ECA3DCFDB30B1988299D6AE29BF298D214B5136689EDB19E1B14D185B11CEEC5F4975EF941994F73EF97E365EEF94A6680F625E08F70A986994634B06EBF9E4D46B8300C49AB3FE162F8568593BBE47C46BFC7E82C626A2D8E9150D53700038D4E1262AEDE885A7DAD64CD996154DF44BC6377BD21F035ED4D3C88BEB849CEAD8BE4B644BB8155E131604F0B95A8FD5909FCAEB38E1F0253383CDFFF8D7C9D9F847E2A405B541899457215D03578DBF171C7FF63A872B49F01B816D78544CA22DBA5AA90C9599D4F9E96B890B4475CBA85DCA693152DC85C29450ED06E052DA9548D9E088D4AF54C668459395CDA10A2447F7DC25F11

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 21 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe
    "C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1588
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\gzkOpN\gzkO\..\..\Windows\gzkO\gzkO\..\..\system32\gzkO\gzkO\..\..\wbem\gzkO\gzkOp\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3988
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\mwjoTh\mwjo\..\..\Windows\mwjo\mwjo\..\..\system32\mwjo\mwjo\..\..\wbem\mwjo\mwjoT\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5936
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\GJecwa34.cpl.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:6036
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4424
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1672
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Decryptfiles.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:3320
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:112

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    2
    T1112

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Remote System Discovery

    1
    T1018

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Inhibit System Recovery

    1
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt
      Filesize

      4KB

      MD5

      b15a4318fe0408afa709ac8d52f5ac50

      SHA1

      575cc86e039ca89fe86b2e79bcf1e9f749d7cc7d

      SHA256

      e8e7dd648ed61421defbb449e7d5e25f2035691bde7d2ea662d0ef9911fbe469

      SHA512

      e292a4ffd2c7594027ab66e056a170d6d6abd236b11e964e2399de1fa7d35d8a3a2e56f840e167f10531dede89f82e4c7675ac3dda66c70ed4ada7a86374afd7

      Download Submit

    • memory/112-1328-0x000001C26D5A0000-0x000001C26D5C0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/112-1337-0x000001C26D560000-0x000001C26D580000-memory.dmp

      Filesize

      128KB

      Download

    • memory/112-1359-0x000001C26D970000-0x000001C26D990000-memory.dmp

      Filesize

      128KB

      Download