Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/12/2024, 13:26
Static task
static1
Behavioral task
behavioral1
Sample
Gosjeufon.cpl.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Gosjeufon.cpl.exe
Resource
win10v2004-20241007-en
General
-
Target
Gosjeufon.cpl.exe
-
Size
881KB
-
MD5
9049faba5517305c44bd5f28398fb6b9
-
SHA1
036c6b32f3e7d7d689c9b4d482091eebcc669bfa
-
SHA256
d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3
-
SHA512
65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a
-
SSDEEP
12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt Gosjeufon.cpl.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Decryptfiles.txt Gosjeufon.cpl.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Gosjeufon.cpl.exe" Gosjeufon.cpl.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini Gosjeufon.cpl.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gosjeufon.cpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 224 cmd.exe 764 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 764 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1184 Gosjeufon.cpl.exe 1184 Gosjeufon.cpl.exe 1184 Gosjeufon.cpl.exe 1184 Gosjeufon.cpl.exe 1184 Gosjeufon.cpl.exe 1184 Gosjeufon.cpl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1184 Gosjeufon.cpl.exe Token: SeDebugPrivilege 1184 Gosjeufon.cpl.exe Token: SeDebugPrivilege 1184 Gosjeufon.cpl.exe Token: SeIncreaseQuotaPrivilege 4224 wmic.exe Token: SeSecurityPrivilege 4224 wmic.exe Token: SeTakeOwnershipPrivilege 4224 wmic.exe Token: SeLoadDriverPrivilege 4224 wmic.exe Token: SeSystemProfilePrivilege 4224 wmic.exe Token: SeSystemtimePrivilege 4224 wmic.exe Token: SeProfSingleProcessPrivilege 4224 wmic.exe Token: SeIncBasePriorityPrivilege 4224 wmic.exe Token: SeCreatePagefilePrivilege 4224 wmic.exe Token: SeBackupPrivilege 4224 wmic.exe Token: SeRestorePrivilege 4224 wmic.exe Token: SeShutdownPrivilege 4224 wmic.exe Token: SeDebugPrivilege 4224 wmic.exe Token: SeSystemEnvironmentPrivilege 4224 wmic.exe Token: SeRemoteShutdownPrivilege 4224 wmic.exe Token: SeUndockPrivilege 4224 wmic.exe Token: SeManageVolumePrivilege 4224 wmic.exe Token: 33 4224 wmic.exe Token: 34 4224 wmic.exe Token: 35 4224 wmic.exe Token: 36 4224 wmic.exe Token: SeIncreaseQuotaPrivilege 4224 wmic.exe Token: SeSecurityPrivilege 4224 wmic.exe Token: SeTakeOwnershipPrivilege 4224 wmic.exe Token: SeLoadDriverPrivilege 4224 wmic.exe Token: SeSystemProfilePrivilege 4224 wmic.exe Token: SeSystemtimePrivilege 4224 wmic.exe Token: SeProfSingleProcessPrivilege 4224 wmic.exe Token: SeIncBasePriorityPrivilege 4224 wmic.exe Token: SeCreatePagefilePrivilege 4224 wmic.exe Token: SeBackupPrivilege 4224 wmic.exe Token: SeRestorePrivilege 4224 wmic.exe Token: SeShutdownPrivilege 4224 wmic.exe Token: SeDebugPrivilege 4224 wmic.exe Token: SeSystemEnvironmentPrivilege 4224 wmic.exe Token: SeRemoteShutdownPrivilege 4224 wmic.exe Token: SeUndockPrivilege 4224 wmic.exe Token: SeManageVolumePrivilege 4224 wmic.exe Token: 33 4224 wmic.exe Token: 34 4224 wmic.exe Token: 35 4224 wmic.exe Token: 36 4224 wmic.exe Token: SeBackupPrivilege 4572 vssvc.exe Token: SeRestorePrivilege 4572 vssvc.exe Token: SeAuditPrivilege 4572 vssvc.exe Token: SeDebugPrivilege 1184 Gosjeufon.cpl.exe Token: SeDebugPrivilege 1184 Gosjeufon.cpl.exe Token: SeIncreaseQuotaPrivilege 892 wmic.exe Token: SeSecurityPrivilege 892 wmic.exe Token: SeTakeOwnershipPrivilege 892 wmic.exe Token: SeLoadDriverPrivilege 892 wmic.exe Token: SeSystemProfilePrivilege 892 wmic.exe Token: SeSystemtimePrivilege 892 wmic.exe Token: SeProfSingleProcessPrivilege 892 wmic.exe Token: SeIncBasePriorityPrivilege 892 wmic.exe Token: SeCreatePagefilePrivilege 892 wmic.exe Token: SeBackupPrivilege 892 wmic.exe Token: SeRestorePrivilege 892 wmic.exe Token: SeShutdownPrivilege 892 wmic.exe Token: SeDebugPrivilege 892 wmic.exe Token: SeSystemEnvironmentPrivilege 892 wmic.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1184 wrote to memory of 4224 1184 Gosjeufon.cpl.exe 84 PID 1184 wrote to memory of 4224 1184 Gosjeufon.cpl.exe 84 PID 1184 wrote to memory of 892 1184 Gosjeufon.cpl.exe 101 PID 1184 wrote to memory of 892 1184 Gosjeufon.cpl.exe 101 PID 1184 wrote to memory of 224 1184 Gosjeufon.cpl.exe 102 PID 1184 wrote to memory of 224 1184 Gosjeufon.cpl.exe 102 PID 1184 wrote to memory of 224 1184 Gosjeufon.cpl.exe 102 PID 224 wrote to memory of 764 224 cmd.exe 105 PID 224 wrote to memory of 764 224 cmd.exe 105 PID 224 wrote to memory of 764 224 cmd.exe 105 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\Windows\system32\wbem\wmic.exec:\bySKnR\bySK\..\..\Windows\bySK\bySK\..\..\system32\bySK\bySK\..\..\wbem\bySK\bySKn\..\..\wmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
\??\c:\Windows\system32\wbem\wmic.exec:\qWdUwe\qWdU\..\..\Windows\qWdU\qWdU\..\..\system32\qWdU\qWdU\..\..\wbem\qWdU\qWdUw\..\..\wmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:892
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:764
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4572
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD558791bb66477f8ea85a7572f72f18f4b
SHA1386f949dbd077f0dca9843fc108a2dec43ccea90
SHA256dfbc41b24460cdf6377e9cf01f3ea55456703c21be6a311f70b3705bacf40d87
SHA5128f7d34160d11aba4f107aae86c756e90c418c19c267b9d67d4913bc62b72509ce42b8cb229f3a16951dec7a1444afab8a1b17792d01a609612f5f3fc884d8c0b