Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

15/12/2024, 15:40

241215-s4m3caylfs 10

14/12/2024, 13:26

241214-qphg7stkay 10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/12/2024, 13:26

General

  • Target

    Gosjeufon.cpl.exe

  • Size

    881KB

  • MD5

    9049faba5517305c44bd5f28398fb6b9

  • SHA1

    036c6b32f3e7d7d689c9b4d482091eebcc669bfa

  • SHA256

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

  • SHA512

    65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

  • SSDEEP

    12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :D6AAB2A14872793F11CD8C9322E9670DB238E7D63DFD4398FD5DAB3610C43F381F4FDD9F8D63669AA5C8BF8A07D07A5398BF0FB595289AD42C41D3EA0D1BCCC8850D0F3C76237A3B19B82BDEE0929A70F6874112AEA0015A4DE40F2C16699200D55EBD9CE919FB6183DE5B0121F1DED15A7555BEACB400F5096B9359891661CA3236E96D7241C1414DF71A340BAC5852A3036C050FBA984E2AF00A6CFDB8084DAC05ACB809AF281E8895D1C51194BF53B5A1CEE3F1ACFF937FE356627E87ED8FDB6053D83FE4F47928AD4C7CCD24A1820326C148A27F49BF93A59D8445D2F8023A039F01498433D08253C4AF011165595A296D1328C63D9C0D2C77D4B63F237CD9F8D7BA1C814C7FD28AE87EE2F7DAE41DE68CED2116DA72F2A2862627460AF2AB1C404151C9CE97C5A5CD234D449FC4060262EC17562E57E5632DD70C94A26982DFF673A5AA5C598F1B35FB142F3B7DB7B88FA7E1970537CF89B4510AFF70FEA6FB45EA20E58261A64B700B8E1B027322DCAD642218FD410F961ADC5861DAE9994A5095E1248CBB0E7DE135DDD948B958E273F89D6544E5BC8ECCA25F6DE82783E96BB9E02FE6F204705F943AA1026E8F177DCE3625B9A7CDD9627172A36D23867A85AD2D1FDA70DABF61B675A5C4C573F76E72AF24D72C724B4D016A27BC85090B26AC6E4855D7A92927EE05BD50F9C2638804D165DB84CAED886A5786C31CFD5809655195071450B31C236CC1117E566434CAD5459DA5D569FBFEFA00E0DD25E61559C5F78CC327FDBBDBE8BAA9E2041C7C537BDA66C128B6EA7B05A6C692705D68CA8611A62A458A8F068A77F34475D8843A3BF6D770232D9158899602ACDF180851ABCD6D4017337367F633A4BB5EBBDA9793D9B7D3051D86D68ED31D83F68C50D8C187588A05EEE7AC7106EBB7D09A730B9FDD7B0DAA105C70E02E90D0B0242FEE285FF32CEC40B872816447808BAC3771FEC73B5C9612ED051EB1C1AF8D38AD42B487A4233F9F931519535ACC28C7BC1EBB5D247214D1D719105E9E63ECDA3B6EC7BB78B2A2B3AB3649C44461B7BAB580B7588743966DFC8CA9ED296703DA25790949C7DADFEA42687C4D49D19CBE3FB1CC88E346332233B6F77CCCD71BA452519A6EF80F0A1F81BA4150B31DCEDAC343A9E3123291D933D60AC679EC36A3148419E338748B01031E22346EB7CC40C9549C85FA5E0EBD9786BFD7D190FD651B780B9718BE6E64F9112237A0FE365B4D5C15E52DA74943F448D298F826C9A3E48309367C6F4ED1564E362A1811ED06A7A8E5A96D4BB03A0328F82E258ECD01278765E9688BB3CE032EA18832D59183871430FE4FF69447D3EFE12E382E503BF166CEB54A93175BD3F00021278D878713623C1AC53B7C2597AA0DDD97BF811BB567C5172C4D3F3BFAE8944A4F56C3F40AB4BE173E973FDCAA70894A7066E9F5F779D4D6C88A29E19677234CA7CD2DEE1D7AF7A61D8386324DE521C1FA1AF4A6185B6BED89A05A691C67D50EBC908285ECD1EF7DD9AAE7828869AAC65CE33FEB8090F2BB0C1B5982F91FA055EC237CFD7CEEE82671F37E06312289FBE6F6832219A9973F674E38D863A9D0F650D3A5B5B81A99D17DD1FE72765B2C39C91286D5F6B4FD51168A7E499620A68D586DCACB71B3A2C232F6D83C2AE215018C248DD44970B8954D38B0FB01C19A79B5C624067DFAD13F9F2A56C871B9C3F620658D58630A9C24FE547FF8D1F0FF8100091CE281898F0BCCB49F6EF3719F7B292529359753158737B0155B0DF5EFF44C6E5A3C5034C669754F7899422509CB6DD9323F0C24DDD15CB526DAA33F79BD35AFA4DE8063AC18B12897EE96A7A45F6D777C09FECA674B06D3FA854BF1493F34B6E14CD414F6DB454DF3985FBA71F5E76E1533E5B1FBF36948DDCC326EB27FE75978D760EC36BFD94C3E2F138EEA332472E9679713A5A1D6EC693C7D744662C8FAF01D7FA4415224FB8AC17E4D4FF25ADEA0141E5F6DF2B68A446E77CBDC523F419921687596EB9FA0764CA09160FC030F4E6C2E5290993FFA479D8F0283847C09655A9990AC0EAC24FDDF05234DF5329FC116DAC3514A4D4C82A3CC4EF5440999EA040942619A88DC522137D3A82F76D6B57C9C7D5DFE5C5C0194649CB13CB2D9006E929F65287377F71B67E54DB2E44AC45112A86D51178FFF910E6DA7ACFA7BED4259D37EF2F32D5C83C4541FF36F43C4484DB35300C2C1E6D5BEF1002172B5AF1F42B1992E332C8C6475BFF4C9E018359BCCF0ABE8F57C50FAFA475125702B0D9EE42F180F0FB9CFFE6B781472F9DC46AA82FE59F17C1C626C9DBA78A73639F1015816015D82383841136653A34A747468D4DDCB7480407D542F

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 10 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe
    "C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2120
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\kpbzQA\kpbz\..\..\Windows\kpbz\kpbz\..\..\system32\kpbz\kpbz\..\..\wbem\kpbz\kpbzQ\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\hpODlC\hpOD\..\..\Windows\hpOD\hpOD\..\..\system32\hpOD\hpOD\..\..\wbem\hpOD\hpODl\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:524
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2504
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

    Filesize

    4KB

    MD5

    913a0a2f425125ca64fee6098b290133

    SHA1

    23e015a8dbec0741ddfa2832b90b268469e401d0

    SHA256

    89d3d0eeba46b05a8dfd175f57c24a2790890a0806d4acc5771f11010e52ee95

    SHA512

    cd05dc8258c40b718a6ba2d1b122fd2462758c1b66b59d1b0d9c87e4e8126af082a2ed5f83c97df9dc5aeb8997cccc8f0bb709f435de06adf8af27541c67e911