Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/12/2024, 13:26
Static task
static1
Behavioral task
behavioral1
Sample
Gosjeufon.cpl.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Gosjeufon.cpl.exe
Resource
win10v2004-20241007-en
General
-
Target
Gosjeufon.cpl.exe
-
Size
881KB
-
MD5
9049faba5517305c44bd5f28398fb6b9
-
SHA1
036c6b32f3e7d7d689c9b4d482091eebcc669bfa
-
SHA256
d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3
-
SHA512
65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a
-
SSDEEP
12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 2144 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt Gosjeufon.cpl.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Decryptfiles.txt Gosjeufon.cpl.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Gosjeufon.cpl.exe" Gosjeufon.cpl.exe -
Drops desktop.ini file(s) 10 IoCs
description ioc Process File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Gosjeufon.cpl.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gosjeufon.cpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2144 cmd.exe 2504 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2504 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2120 Gosjeufon.cpl.exe 2120 Gosjeufon.cpl.exe 2120 Gosjeufon.cpl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2680 wmic.exe Token: SeSecurityPrivilege 2680 wmic.exe Token: SeTakeOwnershipPrivilege 2680 wmic.exe Token: SeLoadDriverPrivilege 2680 wmic.exe Token: SeSystemProfilePrivilege 2680 wmic.exe Token: SeSystemtimePrivilege 2680 wmic.exe Token: SeProfSingleProcessPrivilege 2680 wmic.exe Token: SeIncBasePriorityPrivilege 2680 wmic.exe Token: SeCreatePagefilePrivilege 2680 wmic.exe Token: SeBackupPrivilege 2680 wmic.exe Token: SeRestorePrivilege 2680 wmic.exe Token: SeShutdownPrivilege 2680 wmic.exe Token: SeDebugPrivilege 2680 wmic.exe Token: SeSystemEnvironmentPrivilege 2680 wmic.exe Token: SeRemoteShutdownPrivilege 2680 wmic.exe Token: SeUndockPrivilege 2680 wmic.exe Token: SeManageVolumePrivilege 2680 wmic.exe Token: 33 2680 wmic.exe Token: 34 2680 wmic.exe Token: 35 2680 wmic.exe Token: SeIncreaseQuotaPrivilege 2680 wmic.exe Token: SeSecurityPrivilege 2680 wmic.exe Token: SeTakeOwnershipPrivilege 2680 wmic.exe Token: SeLoadDriverPrivilege 2680 wmic.exe Token: SeSystemProfilePrivilege 2680 wmic.exe Token: SeSystemtimePrivilege 2680 wmic.exe Token: SeProfSingleProcessPrivilege 2680 wmic.exe Token: SeIncBasePriorityPrivilege 2680 wmic.exe Token: SeCreatePagefilePrivilege 2680 wmic.exe Token: SeBackupPrivilege 2680 wmic.exe Token: SeRestorePrivilege 2680 wmic.exe Token: SeShutdownPrivilege 2680 wmic.exe Token: SeDebugPrivilege 2680 wmic.exe Token: SeSystemEnvironmentPrivilege 2680 wmic.exe Token: SeRemoteShutdownPrivilege 2680 wmic.exe Token: SeUndockPrivilege 2680 wmic.exe Token: SeManageVolumePrivilege 2680 wmic.exe Token: 33 2680 wmic.exe Token: 34 2680 wmic.exe Token: 35 2680 wmic.exe Token: SeBackupPrivilege 1712 vssvc.exe Token: SeRestorePrivilege 1712 vssvc.exe Token: SeAuditPrivilege 1712 vssvc.exe Token: SeIncreaseQuotaPrivilege 524 wmic.exe Token: SeSecurityPrivilege 524 wmic.exe Token: SeTakeOwnershipPrivilege 524 wmic.exe Token: SeLoadDriverPrivilege 524 wmic.exe Token: SeSystemProfilePrivilege 524 wmic.exe Token: SeSystemtimePrivilege 524 wmic.exe Token: SeProfSingleProcessPrivilege 524 wmic.exe Token: SeIncBasePriorityPrivilege 524 wmic.exe Token: SeCreatePagefilePrivilege 524 wmic.exe Token: SeBackupPrivilege 524 wmic.exe Token: SeRestorePrivilege 524 wmic.exe Token: SeShutdownPrivilege 524 wmic.exe Token: SeDebugPrivilege 524 wmic.exe Token: SeSystemEnvironmentPrivilege 524 wmic.exe Token: SeRemoteShutdownPrivilege 524 wmic.exe Token: SeUndockPrivilege 524 wmic.exe Token: SeManageVolumePrivilege 524 wmic.exe Token: 33 524 wmic.exe Token: 34 524 wmic.exe Token: 35 524 wmic.exe Token: SeIncreaseQuotaPrivilege 524 wmic.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2680 2120 Gosjeufon.cpl.exe 31 PID 2120 wrote to memory of 2680 2120 Gosjeufon.cpl.exe 31 PID 2120 wrote to memory of 2680 2120 Gosjeufon.cpl.exe 31 PID 2120 wrote to memory of 2680 2120 Gosjeufon.cpl.exe 31 PID 2120 wrote to memory of 524 2120 Gosjeufon.cpl.exe 37 PID 2120 wrote to memory of 524 2120 Gosjeufon.cpl.exe 37 PID 2120 wrote to memory of 524 2120 Gosjeufon.cpl.exe 37 PID 2120 wrote to memory of 524 2120 Gosjeufon.cpl.exe 37 PID 2120 wrote to memory of 2144 2120 Gosjeufon.cpl.exe 39 PID 2120 wrote to memory of 2144 2120 Gosjeufon.cpl.exe 39 PID 2120 wrote to memory of 2144 2120 Gosjeufon.cpl.exe 39 PID 2120 wrote to memory of 2144 2120 Gosjeufon.cpl.exe 39 PID 2144 wrote to memory of 2504 2144 cmd.exe 41 PID 2144 wrote to memory of 2504 2144 cmd.exe 41 PID 2144 wrote to memory of 2504 2144 cmd.exe 41 PID 2144 wrote to memory of 2504 2144 cmd.exe 41 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\Windows\system32\wbem\wmic.exec:\kpbzQA\kpbz\..\..\Windows\kpbz\kpbz\..\..\system32\kpbz\kpbz\..\..\wbem\kpbz\kpbzQ\..\..\wmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
\??\c:\Windows\system32\wbem\wmic.exec:\hpODlC\hpOD\..\..\Windows\hpOD\hpOD\..\..\system32\hpOD\hpOD\..\..\wbem\hpOD\hpODl\..\..\wmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2504
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5913a0a2f425125ca64fee6098b290133
SHA123e015a8dbec0741ddfa2832b90b268469e401d0
SHA25689d3d0eeba46b05a8dfd175f57c24a2790890a0806d4acc5771f11010e52ee95
SHA512cd05dc8258c40b718a6ba2d1b122fd2462758c1b66b59d1b0d9c87e4e8126af082a2ed5f83c97df9dc5aeb8997cccc8f0bb709f435de06adf8af27541c67e911