Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 15:27
Static task
static1
Behavioral task
behavioral1
Sample
Gosjeufon.cpl.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Gosjeufon.cpl.exe
Resource
win10v2004-20241007-en
General
-
Target
Gosjeufon.cpl.exe
-
Size
881KB
-
MD5
9049faba5517305c44bd5f28398fb6b9
-
SHA1
036c6b32f3e7d7d689c9b4d482091eebcc669bfa
-
SHA256
d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3
-
SHA512
65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a
-
SSDEEP
12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 2064 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt Gosjeufon.cpl.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Decryptfiles.txt Gosjeufon.cpl.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Gosjeufon.cpl.exe" Gosjeufon.cpl.exe -
Drops desktop.ini file(s) 10 IoCs
description ioc Process File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Gosjeufon.cpl.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Gosjeufon.cpl.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gosjeufon.cpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2064 cmd.exe 1596 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1596 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1836 Gosjeufon.cpl.exe 1836 Gosjeufon.cpl.exe 1836 Gosjeufon.cpl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1172 wmic.exe Token: SeSecurityPrivilege 1172 wmic.exe Token: SeTakeOwnershipPrivilege 1172 wmic.exe Token: SeLoadDriverPrivilege 1172 wmic.exe Token: SeSystemProfilePrivilege 1172 wmic.exe Token: SeSystemtimePrivilege 1172 wmic.exe Token: SeProfSingleProcessPrivilege 1172 wmic.exe Token: SeIncBasePriorityPrivilege 1172 wmic.exe Token: SeCreatePagefilePrivilege 1172 wmic.exe Token: SeBackupPrivilege 1172 wmic.exe Token: SeRestorePrivilege 1172 wmic.exe Token: SeShutdownPrivilege 1172 wmic.exe Token: SeDebugPrivilege 1172 wmic.exe Token: SeSystemEnvironmentPrivilege 1172 wmic.exe Token: SeRemoteShutdownPrivilege 1172 wmic.exe Token: SeUndockPrivilege 1172 wmic.exe Token: SeManageVolumePrivilege 1172 wmic.exe Token: 33 1172 wmic.exe Token: 34 1172 wmic.exe Token: 35 1172 wmic.exe Token: SeIncreaseQuotaPrivilege 1172 wmic.exe Token: SeSecurityPrivilege 1172 wmic.exe Token: SeTakeOwnershipPrivilege 1172 wmic.exe Token: SeLoadDriverPrivilege 1172 wmic.exe Token: SeSystemProfilePrivilege 1172 wmic.exe Token: SeSystemtimePrivilege 1172 wmic.exe Token: SeProfSingleProcessPrivilege 1172 wmic.exe Token: SeIncBasePriorityPrivilege 1172 wmic.exe Token: SeCreatePagefilePrivilege 1172 wmic.exe Token: SeBackupPrivilege 1172 wmic.exe Token: SeRestorePrivilege 1172 wmic.exe Token: SeShutdownPrivilege 1172 wmic.exe Token: SeDebugPrivilege 1172 wmic.exe Token: SeSystemEnvironmentPrivilege 1172 wmic.exe Token: SeRemoteShutdownPrivilege 1172 wmic.exe Token: SeUndockPrivilege 1172 wmic.exe Token: SeManageVolumePrivilege 1172 wmic.exe Token: 33 1172 wmic.exe Token: 34 1172 wmic.exe Token: 35 1172 wmic.exe Token: SeBackupPrivilege 2364 vssvc.exe Token: SeRestorePrivilege 2364 vssvc.exe Token: SeAuditPrivilege 2364 vssvc.exe Token: SeIncreaseQuotaPrivilege 2508 wmic.exe Token: SeSecurityPrivilege 2508 wmic.exe Token: SeTakeOwnershipPrivilege 2508 wmic.exe Token: SeLoadDriverPrivilege 2508 wmic.exe Token: SeSystemProfilePrivilege 2508 wmic.exe Token: SeSystemtimePrivilege 2508 wmic.exe Token: SeProfSingleProcessPrivilege 2508 wmic.exe Token: SeIncBasePriorityPrivilege 2508 wmic.exe Token: SeCreatePagefilePrivilege 2508 wmic.exe Token: SeBackupPrivilege 2508 wmic.exe Token: SeRestorePrivilege 2508 wmic.exe Token: SeShutdownPrivilege 2508 wmic.exe Token: SeDebugPrivilege 2508 wmic.exe Token: SeSystemEnvironmentPrivilege 2508 wmic.exe Token: SeRemoteShutdownPrivilege 2508 wmic.exe Token: SeUndockPrivilege 2508 wmic.exe Token: SeManageVolumePrivilege 2508 wmic.exe Token: 33 2508 wmic.exe Token: 34 2508 wmic.exe Token: 35 2508 wmic.exe Token: SeIncreaseQuotaPrivilege 2508 wmic.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1836 wrote to memory of 1172 1836 Gosjeufon.cpl.exe 31 PID 1836 wrote to memory of 1172 1836 Gosjeufon.cpl.exe 31 PID 1836 wrote to memory of 1172 1836 Gosjeufon.cpl.exe 31 PID 1836 wrote to memory of 1172 1836 Gosjeufon.cpl.exe 31 PID 1836 wrote to memory of 2508 1836 Gosjeufon.cpl.exe 37 PID 1836 wrote to memory of 2508 1836 Gosjeufon.cpl.exe 37 PID 1836 wrote to memory of 2508 1836 Gosjeufon.cpl.exe 37 PID 1836 wrote to memory of 2508 1836 Gosjeufon.cpl.exe 37 PID 1836 wrote to memory of 2064 1836 Gosjeufon.cpl.exe 38 PID 1836 wrote to memory of 2064 1836 Gosjeufon.cpl.exe 38 PID 1836 wrote to memory of 2064 1836 Gosjeufon.cpl.exe 38 PID 1836 wrote to memory of 2064 1836 Gosjeufon.cpl.exe 38 PID 2064 wrote to memory of 1596 2064 cmd.exe 41 PID 2064 wrote to memory of 1596 2064 cmd.exe 41 PID 2064 wrote to memory of 1596 2064 cmd.exe 41 PID 2064 wrote to memory of 1596 2064 cmd.exe 41 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\Windows\system32\wbem\wmic.exec:\cVFwvY\cVFw\..\..\Windows\cVFw\cVFw\..\..\system32\cVFw\cVFw\..\..\wbem\cVFw\cVFwv\..\..\wmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
\??\c:\Windows\system32\wbem\wmic.exec:\oMBkrm\oMBk\..\..\Windows\oMBk\oMBk\..\..\system32\oMBk\oMBk\..\..\wbem\oMBk\oMBkr\..\..\wmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1596
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD526b0b057a14637fc6f3607f211be2018
SHA1209c2800c381a552b2778c77de9f901d7220c87b
SHA25692a2358ac0872d530a1ff3036f885f6c7f6833fcf3b0531c2dc7fafd3134fe23
SHA512e06219b019bb388bb96fc1fec739dad89b57ad069465a7fbe500a3447b908116a2881a18ae2c3c5bca80263ae71d56e4c89f472bc6278e4f2eaa0d4a5841c0e2