Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-12-2024 15:27

General

  • Target

    Gosjeufon.cpl.exe

  • Size

    881KB

  • MD5

    9049faba5517305c44bd5f28398fb6b9

  • SHA1

    036c6b32f3e7d7d689c9b4d482091eebcc669bfa

  • SHA256

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

  • SHA512

    65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

  • SSDEEP

    12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :7950314B4C10DC8548BFF0341325803E16DE0AA2D9335E8CCEC2317704571248895F2A65EBBB860E2F711C69D9B3EE2254A55FB50C76FB8D3CF9A2C6E01CFE1BE342835D57E499F620E1DB85A685AFB4358C07E48CC002A3B7C2BE8C19F11CD0294D4F5B2D7A70468C23F62654AC8E858311272932E26EE98E0345D0F698F8872FC9101ABDC5975D5DDC96F364F3C8D13FFAD0DA22E9B6BA6F7427D8BAF3E6F69ACE5CE1BF45CAD9A585C9A3BA3931662DEF50E86E0770C71CA1EB9F47C2733FBE2AE3A123BABD788B9EC7270496D50C989DB21C75FCB937E0D48828F897068DC95DC6AEAB1F486435EA70AABB6049B2B1363229FE12591F4D5D8DDEDC8F41F1D8EEF91D43439C1E2D85308D561A98B3E09A9F6C0632A2A375A468E6565CC09C75437FBDC261831A1124C1B02A791C853260040A41A392AA997E65E72B7D1A4F4A68F58BAE9452A9558F4F24B78DD75B43928C6E39725EE91E33A5A2ED4B4D5604467A536F04AFB9220EF49D7B4CCF2A145B37D698676026340605C167D9D5628518BB83C591CC801F172641472CE363503A27A47359357F759BA78604C8B51AC9B06A707A011D3CD1037498A2F9E8CF0E95C8C7A13045D78B17C26DEB48AC9D3736D379A642A43119B91CB4FC01F049667BC13B7882FCF67732F8CA5DB3ACBA76A62931080B77CECD8C1E50E54130855D70554130AACCDF2D9EE254BBD29D40A201A4171499B757B3E686C1CCD210EF12F2E34161F285DEEEF34F3D8D4BD2EEBA1848BA95021B1542E4D79058F69B3B0B83052784F714F8C074B6A3AFCBB9436052AFAB41FB783430604A1544EC4B23DEA3D05F8AD0474720DDEF67F19F40476707C2F47D46CEE8FC568B8511D41A551A6574C3C144E6FDDCC644327E2C01BD6C926B26A9DE9D4710875AACBE08F376817B06FCEC88D827E2CE5A3F2C422A52C34BD95A1885B0552CEE8A96DA7C4E700E8EBEBC4AC8C8216CCDD4D80EEDE09792F9575FC69736C457032F3130069097EFD0083FAADAE0A98F8AF3FDF6D7B2F6B74416323CDF57F4B589B8501F329266E134855BC8DFAD32833B42016BA7462EE73AE12284169711F3EE1E3E0DFEF5C5C4D3DA37EF00B2ACC5ED3A371CAA11D6F8511C18BE1098359FA061EF0E1B37042F9C6ED102A304A248C9C275C29B74E26323E07FE4E469EAE6512F539E32A920E14D85E708A92BF414D4BA2262B85A4FC4186EF8C5BA2FFF6624A65E3A71E3C6D41B898F0B0EA507B0F4B828BD8A6139ADD939AC3AECCC2E39F4A1B9B1CCB31924E531DC9E7676FBB88C3450A18889B1083894EA046F07DC3BCE429A79B2DCFDFEAAB30B7B593C72274D7EE2E093D2FE6858E90194DCE521560360B1788DD98E1EEA1A27E3C1EF6A7CE293733B7F439023E36E9D3B83B73FA0C4C246BEA2CE2FB2B1D4F1966E37AB79C0AAD7C0B1FAED388B6B0269C9A0A08D74A45D62228CF63B5AAC909C302097A81CF3F7F7034D14345911FAAF0255041BB366913E47C1F3CEE69E471DE50796FC8A069CD88F4DA4B8BCDA0781CFD4C52B13335A7054A297EEC82FA5D5E9C6525E8BE074104223A2EE88CFAFD8BD89035F4B36EB2F340C8A711861F150346D176228A1EE382B61204A8304EFE9C91A6C89AA0498C00DD9BA4A759162EBF2D6281F505B5069CBAE933D75A342F67E3319F9177604B123F3C2E3FEF1CCD30215EE6315D964D4B4701BEB7011E5B557E8A7AD92BCF9A5A80A1881205B5B1064C81013F9184CEC6365533C4A57C7811A8D3782DCB161C60754375806EA1DFA6D5C8C1C45EED7B408A7A68B3E5D93A47EF5C80AB7B659D581706A5ABF3B49293535F17B89170FFB1DEC95E56F86A3DD283EC48DC309BDE4B2DE6039ED92C266087B825C9957AA52D9B3B70927A872BB7B6D608F3EF0840A6D8B71DBB408E7535012A6326C0F56A7E130766B2D5C45D8FBE2935E6A7F24EC46EAA528BE52193479FDDD9CB1702AEA6D29D04DD484F4C27C67AFB9887E686860BFD0E8C3680B97540C6C42CA252E5C3372D9F46B564B3A467C2A6EE148162A19FFDA64A241A7F01E2BB6E53195E4257B354D3A3E6D7FB1EE048E209D90765EB076234A1AD8E78540F7369CF632FCCF551B95B74FDF0A8BD198798696C34F70EF0342DAE0CE43D4438F723B4019DBAF552ACDE695912925B7738B190CA61A6FB48F530047099C8B274ED5F0D7026C3913A4686BAE806E805CFE8F8AB1C4AD0CCFA0A8138BE008ED20F4D266391959FAB8B10A00F01CF25B4B8E2F392AAD0EBF52DDB6F7872D097E72C543E0340561E9A4EB39CEFF72014930B4E5B76B0A2A5B2822F1D126961685C9DE5D48E8144BCDC020E2E5DA1A917CBB8B929F844E

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 10 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe
    "C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1836
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\cVFwvY\cVFw\..\..\Windows\cVFw\cVFw\..\..\system32\cVFw\cVFw\..\..\wbem\cVFw\cVFwv\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1172
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\oMBkrm\oMBk\..\..\Windows\oMBk\oMBk\..\..\system32\oMBk\oMBk\..\..\wbem\oMBk\oMBkr\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2064
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1596
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

    Filesize

    4KB

    MD5

    26b0b057a14637fc6f3607f211be2018

    SHA1

    209c2800c381a552b2778c77de9f901d7220c87b

    SHA256

    92a2358ac0872d530a1ff3036f885f6c7f6833fcf3b0531c2dc7fafd3134fe23

    SHA512

    e06219b019bb388bb96fc1fec739dad89b57ad069465a7fbe500a3447b908116a2881a18ae2c3c5bca80263ae71d56e4c89f472bc6278e4f2eaa0d4a5841c0e2