Overview

overview

10

Static

static

1

Gosjeufon.cpl.exe

windows7-x64

10

Gosjeufon.cpl.exe

windows10-2004-x64

10

Resubmissions

15-12-2024 15:40

241215-s4m3caylfs 10

14-12-2024 13:26

241214-qphg7stkay 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Gosjeufon.cpl.exe

  • Size

    881KB

  • Sample

    241214-qphg7stkay

  • MD5

    9049faba5517305c44bd5f28398fb6b9

  • SHA1

    036c6b32f3e7d7d689c9b4d482091eebcc669bfa

  • SHA256

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

  • SHA512

    65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

  • SSDEEP

    12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :D6AAB2A14872793F11CD8C9322E9670DB238E7D63DFD4398FD5DAB3610C43F381F4FDD9F8D63669AA5C8BF8A07D07A5398BF0FB595289AD42C41D3EA0D1BCCC8850D0F3C76237A3B19B82BDEE0929A70F6874112AEA0015A4DE40F2C16699200D55EBD9CE919FB6183DE5B0121F1DED15A7555BEACB400F5096B9359891661CA3236E96D7241C1414DF71A340BAC5852A3036C050FBA984E2AF00A6CFDB8084DAC05ACB809AF281E8895D1C51194BF53B5A1CEE3F1ACFF937FE356627E87ED8FDB6053D83FE4F47928AD4C7CCD24A1820326C148A27F49BF93A59D8445D2F8023A039F01498433D08253C4AF011165595A296D1328C63D9C0D2C77D4B63F237CD9F8D7BA1C814C7FD28AE87EE2F7DAE41DE68CED2116DA72F2A2862627460AF2AB1C404151C9CE97C5A5CD234D449FC4060262EC17562E57E5632DD70C94A26982DFF673A5AA5C598F1B35FB142F3B7DB7B88FA7E1970537CF89B4510AFF70FEA6FB45EA20E58261A64B700B8E1B027322DCAD642218FD410F961ADC5861DAE9994A5095E1248CBB0E7DE135DDD948B958E273F89D6544E5BC8ECCA25F6DE82783E96BB9E02FE6F204705F943AA1026E8F177DCE3625B9A7CDD9627172A36D23867A85AD2D1FDA70DABF61B675A5C4C573F76E72AF24D72C724B4D016A27BC85090B26AC6E4855D7A92927EE05BD50F9C2638804D165DB84CAED886A5786C31CFD5809655195071450B31C236CC1117E566434CAD5459DA5D569FBFEFA00E0DD25E61559C5F78CC327FDBBDBE8BAA9E2041C7C537BDA66C128B6EA7B05A6C692705D68CA8611A62A458A8F068A77F34475D8843A3BF6D770232D9158899602ACDF180851ABCD6D4017337367F633A4BB5EBBDA9793D9B7D3051D86D68ED31D83F68C50D8C187588A05EEE7AC7106EBB7D09A730B9FDD7B0DAA105C70E02E90D0B0242FEE285FF32CEC40B872816447808BAC3771FEC73B5C9612ED051EB1C1AF8D38AD42B487A4233F9F931519535ACC28C7BC1EBB5D247214D1D719105E9E63ECDA3B6EC7BB78B2A2B3AB3649C44461B7BAB580B7588743966DFC8CA9ED296703DA25790949C7DADFEA42687C4D49D19CBE3FB1CC88E346332233B6F77CCCD71BA452519A6EF80F0A1F81BA4150B31DCEDAC343A9E3123291D933D60AC679EC36A3148419E338748B01031E22346EB7CC40C9549C85FA5E0EBD9786BFD7D190FD651B780B9718BE6E64F9112237A0FE365B4D5C15E52DA74943F448D298F826C9A3E48309367C6F4ED1564E362A1811ED06A7A8E5A96D4BB03A0328F82E258ECD01278765E9688BB3CE032EA18832D59183871430FE4FF69447D3EFE12E382E503BF166CEB54A93175BD3F00021278D878713623C1AC53B7C2597AA0DDD97BF811BB567C5172C4D3F3BFAE8944A4F56C3F40AB4BE173E973FDCAA70894A7066E9F5F779D4D6C88A29E19677234CA7CD2DEE1D7AF7A61D8386324DE521C1FA1AF4A6185B6BED89A05A691C67D50EBC908285ECD1EF7DD9AAE7828869AAC65CE33FEB8090F2BB0C1B5982F91FA055EC237CFD7CEEE82671F37E06312289FBE6F6832219A9973F674E38D863A9D0F650D3A5B5B81A99D17DD1FE72765B2C39C91286D5F6B4FD51168A7E499620A68D586DCACB71B3A2C232F6D83C2AE215018C248DD44970B8954D38B0FB01C19A79B5C624067DFAD13F9F2A56C871B9C3F620658D58630A9C24FE547FF8D1F0FF8100091CE281898F0BCCB49F6EF3719F7B292529359753158737B0155B0DF5EFF44C6E5A3C5034C669754F7899422509CB6DD9323F0C24DDD15CB526DAA33F79BD35AFA4DE8063AC18B12897EE96A7A45F6D777C09FECA674B06D3FA854BF1493F34B6E14CD414F6DB454DF3985FBA71F5E76E1533E5B1FBF36948DDCC326EB27FE75978D760EC36BFD94C3E2F138EEA332472E9679713A5A1D6EC693C7D744662C8FAF01D7FA4415224FB8AC17E4D4FF25ADEA0141E5F6DF2B68A446E77CBDC523F419921687596EB9FA0764CA09160FC030F4E6C2E5290993FFA479D8F0283847C09655A9990AC0EAC24FDDF05234DF5329FC116DAC3514A4D4C82A3CC4EF5440999EA040942619A88DC522137D3A82F76D6B57C9C7D5DFE5C5C0194649CB13CB2D9006E929F65287377F71B67E54DB2E44AC45112A86D51178FFF910E6DA7ACFA7BED4259D37EF2F32D5C83C4541FF36F43C4484DB35300C2C1E6D5BEF1002172B5AF1F42B1992E332C8C6475BFF4C9E018359BCCF0ABE8F57C50FAFA475125702B0D9EE42F180F0FB9CFFE6B781472F9DC46AA82FE59F17C1C626C9DBA78A73639F1015816015D82383841136653A34A747468D4DDCB7480407D542F

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :89DBFD550E6B309C39D4ADF24EC0857413EA30451EFDE4E448EF82C433D91C040CCBDE25C1410443AB15093C4E568B26D2EEE628DF5576694114F70D20A118A16E62C4630155E20E27E58EE1461B627AE6CE2FC27D2656977744ABFCC25F28632BCB47AC528A210857AF8B629E7F7896BBDDC2F3AFDE62A517F2EE36BCC7124E7531B67D0140C317AF18791D9F04DFC7AFAC114D4482E1D2940794C2B9D38856D365EE0E513AC53D4CE1A12E169DAB2313575174373392E3A211C3187AFEB21752F630CD2A50D6AFA49A85F760B9BAA0F08E9110754594581A34CC560CF709CFEE679953C1D1298AB4B191ED0024632FF31C4BE489C116AE000C43915A2471E3D9D472CF9086EBC2EBA5F735C1008E7492B6619DFB349DCF106C77FBE56FC23350359F29FFA338A0F0508E0D415CA549C28AAFBB2EE43DFAF36E7F555CB3FBDA8F57828B6C2C97A78E5FCCDC9449F5DC078B62134621A498E4314E74CFFF245EB144ECC192644E6B4BD289B655319CBDFBF1117DDFADA1766CECC8D70B80E9913E112C45229E4F4C16B21DB233937866F9F8FF0C264F8588FBF5AD78A748495497AD877611D4C2490F44C21E74C2C4A9A79900F8CED7F05096E670BDB5FC2AA56DB4F927B9C51040682A645E89947872EC455DC8F96749DF5DD2D4EDC374CFB1D09B83FF5875E2CBC8142859959D0C1D8DA83B2AAE22354795CE7591F073DA7666BEB0D27FA63A55A78B78498CD2228648B6776D5C3AF91D4F8EC6EFD03B0F4133D5D1F1649E831B4B92F45C7355CA80554265646E8F508916E39CB28FA26C773617C5FB9BF860DB4C4CE501D291B9E5947B150757BDD6181328070B63DE81C0C58EF2896A93389B629ED6EF5F936BEDDAD8788744A51E8498B6372D32DAD8FDC425B37716A5622BD247C36F98EF01ECAE2D0AED59C521B82B8CDEF4B377239B8CA31E55C6339308EBF69280BCCBBD91FB156D07F1B96D15368933C0AC61D6694F691AF7AC555B38C75E28C6082518A8CF5AA3F261B11DA259CC0207A56F06964BECE305A136F11AD3E4F747C4D5C332C973E3734CAAEFC4B96EC767871C69F6CB27C98FA875DA4626AD70AD2A95D97CFEECD92D749028F4D1E6B43F452F542AB5BD5AE1B0089A267DB16EF1CB8B7F6A02B2FD95AC6726F7EA3FC67A15E30F4AF882060C4748BA16ECD5BC49D8814AC8E62FB04519373055A336646712639BDE2EDA578EDF26E0C54AEBEDF20F49C084D2682037B9416E5B75FCE76D6C826E8FD9FE108DB0D635D7F1459C67B47595D35EF8D67488B75945950B54EA91CA966EB18430DA4FCA81A64093CD1FDEEE3FBF4340CD11482F943F579B0FE7834225397D68DE405C025A1AE8A63A010A2FBCE5AC4D5B7606D6EE6AFEBFA2F0C324FD048FDEE97839F941D1B1C13C6C4C5E5A0E3F4AC2851B8FBB96011299A64E257CB17883BC8E45CF0B6E92AD3F54DA5A8AE33FB1833D8D7B7AF10B081D47482A6AF50154AB4165D51566C7B81BA5824F158CDBB03729A360A802968F8B96679BBDF0C7381707BE817A2080E9BF6DBA9BD9DBDAB55C25D2EB94EF2E1BFCFEEB53B297E110055CF5D5839BC815F226C5A02A41F5A2976C3911A4BEA7A292C2947E384EFA401C524B6122C96770A7AC61C76D02CFD86CDC5E1FC652DF10BC7045CF335A4F4E9435502BE4DCBBDB371343CBAA9F8ABE12A09607946982892929501FE7A49EF639C9F515452372BC0D5F7091B1C79BD1199AF74367D8DB97B2981E8D42CFDF5F7B51B5D8F9978DB58C0AC1A7632F0780B973B24038BC3F02C6F2524593DC32E45D56D74A7ECF2E51A900CA16890E358367866C2FC1B9699BEC2E453CA7793D718CB5E5DD3C13E208AAF815C8E84E4E71B811F96BEF5752091F797319DFA520FE690DA8A69D5A33A20E59C7952E87169A00974040B01A4B8A6A107A8D3A9FEFB3DB44AA2AF60EDFD8EFFD3D2AFE5718C53F285C076C1F296FC2D5D65D9F3D35583E0D5167550B0DAAC24FBBBFB4244FB267E49ECBD651EAE8EEB0968FCB6ABACC021D7381D7E5F695063B923058D394279C4225659CF757B36D49B20CA20092A9B79DF419466CFB6CB2B73BAD73B25B823C79BEF2237EDC2C8F824A00F4F727BD5277B0CFBC9CC47F8E3D4C31C47B8C0FE0EC427B1C3CD910C195DA5DA632C623569625EEC14C3D7C173493923989BE91E9203FA2EC88FAD4693A0C3155FD4DCC8D986B82C1BB02EB27C6B79957EBA4D6FBDC9AA20C6C553C0DB8C22C8CC4BF6CEE46E1EAD45FB6C32F0FA14F369B8DB4D4E35F752A8DBA7D65A47E4A64655B185DD0EA2978E426FDD9362949BEE849F18C6D5F84A5DA7F398FD3C0BA43AD922120B01A0922A44E1674

Targets

    • Target

      Gosjeufon.cpl.exe

    • Size

      881KB

    • MD5

      9049faba5517305c44bd5f28398fb6b9

    • SHA1

      036c6b32f3e7d7d689c9b4d482091eebcc669bfa

    • SHA256

      d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

    • SHA512

      65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

    • SSDEEP

      12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

    Score
    10/10
    credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks