Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

15/12/2024, 15:40

241215-s4m3caylfs 10

14/12/2024, 13:26

241214-qphg7stkay 10

Analysis

  • max time kernel
    93s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/12/2024, 13:26

General

  • Target

    Gosjeufon.cpl.exe

  • Size

    881KB

  • MD5

    9049faba5517305c44bd5f28398fb6b9

  • SHA1

    036c6b32f3e7d7d689c9b4d482091eebcc669bfa

  • SHA256

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

  • SHA512

    65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

  • SSDEEP

    12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :89DBFD550E6B309C39D4ADF24EC0857413EA30451EFDE4E448EF82C433D91C040CCBDE25C1410443AB15093C4E568B26D2EEE628DF5576694114F70D20A118A16E62C4630155E20E27E58EE1461B627AE6CE2FC27D2656977744ABFCC25F28632BCB47AC528A210857AF8B629E7F7896BBDDC2F3AFDE62A517F2EE36BCC7124E7531B67D0140C317AF18791D9F04DFC7AFAC114D4482E1D2940794C2B9D38856D365EE0E513AC53D4CE1A12E169DAB2313575174373392E3A211C3187AFEB21752F630CD2A50D6AFA49A85F760B9BAA0F08E9110754594581A34CC560CF709CFEE679953C1D1298AB4B191ED0024632FF31C4BE489C116AE000C43915A2471E3D9D472CF9086EBC2EBA5F735C1008E7492B6619DFB349DCF106C77FBE56FC23350359F29FFA338A0F0508E0D415CA549C28AAFBB2EE43DFAF36E7F555CB3FBDA8F57828B6C2C97A78E5FCCDC9449F5DC078B62134621A498E4314E74CFFF245EB144ECC192644E6B4BD289B655319CBDFBF1117DDFADA1766CECC8D70B80E9913E112C45229E4F4C16B21DB233937866F9F8FF0C264F8588FBF5AD78A748495497AD877611D4C2490F44C21E74C2C4A9A79900F8CED7F05096E670BDB5FC2AA56DB4F927B9C51040682A645E89947872EC455DC8F96749DF5DD2D4EDC374CFB1D09B83FF5875E2CBC8142859959D0C1D8DA83B2AAE22354795CE7591F073DA7666BEB0D27FA63A55A78B78498CD2228648B6776D5C3AF91D4F8EC6EFD03B0F4133D5D1F1649E831B4B92F45C7355CA80554265646E8F508916E39CB28FA26C773617C5FB9BF860DB4C4CE501D291B9E5947B150757BDD6181328070B63DE81C0C58EF2896A93389B629ED6EF5F936BEDDAD8788744A51E8498B6372D32DAD8FDC425B37716A5622BD247C36F98EF01ECAE2D0AED59C521B82B8CDEF4B377239B8CA31E55C6339308EBF69280BCCBBD91FB156D07F1B96D15368933C0AC61D6694F691AF7AC555B38C75E28C6082518A8CF5AA3F261B11DA259CC0207A56F06964BECE305A136F11AD3E4F747C4D5C332C973E3734CAAEFC4B96EC767871C69F6CB27C98FA875DA4626AD70AD2A95D97CFEECD92D749028F4D1E6B43F452F542AB5BD5AE1B0089A267DB16EF1CB8B7F6A02B2FD95AC6726F7EA3FC67A15E30F4AF882060C4748BA16ECD5BC49D8814AC8E62FB04519373055A336646712639BDE2EDA578EDF26E0C54AEBEDF20F49C084D2682037B9416E5B75FCE76D6C826E8FD9FE108DB0D635D7F1459C67B47595D35EF8D67488B75945950B54EA91CA966EB18430DA4FCA81A64093CD1FDEEE3FBF4340CD11482F943F579B0FE7834225397D68DE405C025A1AE8A63A010A2FBCE5AC4D5B7606D6EE6AFEBFA2F0C324FD048FDEE97839F941D1B1C13C6C4C5E5A0E3F4AC2851B8FBB96011299A64E257CB17883BC8E45CF0B6E92AD3F54DA5A8AE33FB1833D8D7B7AF10B081D47482A6AF50154AB4165D51566C7B81BA5824F158CDBB03729A360A802968F8B96679BBDF0C7381707BE817A2080E9BF6DBA9BD9DBDAB55C25D2EB94EF2E1BFCFEEB53B297E110055CF5D5839BC815F226C5A02A41F5A2976C3911A4BEA7A292C2947E384EFA401C524B6122C96770A7AC61C76D02CFD86CDC5E1FC652DF10BC7045CF335A4F4E9435502BE4DCBBDB371343CBAA9F8ABE12A09607946982892929501FE7A49EF639C9F515452372BC0D5F7091B1C79BD1199AF74367D8DB97B2981E8D42CFDF5F7B51B5D8F9978DB58C0AC1A7632F0780B973B24038BC3F02C6F2524593DC32E45D56D74A7ECF2E51A900CA16890E358367866C2FC1B9699BEC2E453CA7793D718CB5E5DD3C13E208AAF815C8E84E4E71B811F96BEF5752091F797319DFA520FE690DA8A69D5A33A20E59C7952E87169A00974040B01A4B8A6A107A8D3A9FEFB3DB44AA2AF60EDFD8EFFD3D2AFE5718C53F285C076C1F296FC2D5D65D9F3D35583E0D5167550B0DAAC24FBBBFB4244FB267E49ECBD651EAE8EEB0968FCB6ABACC021D7381D7E5F695063B923058D394279C4225659CF757B36D49B20CA20092A9B79DF419466CFB6CB2B73BAD73B25B823C79BEF2237EDC2C8F824A00F4F727BD5277B0CFBC9CC47F8E3D4C31C47B8C0FE0EC427B1C3CD910C195DA5DA632C623569625EEC14C3D7C173493923989BE91E9203FA2EC88FAD4693A0C3155FD4DCC8D986B82C1BB02EB27C6B79957EBA4D6FBDC9AA20C6C553C0DB8C22C8CC4BF6CEE46E1EAD45FB6C32F0FA14F369B8DB4D4E35F752A8DBA7D65A47E4A64655B185DD0EA2978E426FDD9362949BEE849F18C6D5F84A5DA7F398FD3C0BA43AD922120B01A0922A44E1674

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe
    "C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1184
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\bySKnR\bySK\..\..\Windows\bySK\bySK\..\..\system32\bySK\bySK\..\..\wbem\bySK\bySKn\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4224
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\qWdUwe\qWdU\..\..\Windows\qWdU\qWdU\..\..\system32\qWdU\qWdU\..\..\wbem\qWdU\qWdUw\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:892
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:764
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

    Filesize

    4KB

    MD5

    58791bb66477f8ea85a7572f72f18f4b

    SHA1

    386f949dbd077f0dca9843fc108a2dec43ccea90

    SHA256

    dfbc41b24460cdf6377e9cf01f3ea55456703c21be6a311f70b3705bacf40d87

    SHA512

    8f7d34160d11aba4f107aae86c756e90c418c19c267b9d67d4913bc62b72509ce42b8cb229f3a16951dec7a1444afab8a1b17792d01a609612f5f3fc884d8c0b