Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Gosjeufon.cpl.exe

windows7-x64

10

Gosjeufon.cpl.exe

windows10-2004-x64

10

Resubmissions

15/12/2024, 15:40

241215-s4m3caylfs 10

14/12/2024, 13:26

241214-qphg7stkay 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Gosjeufon.cpl.exe

  • Size

    881KB

  • Sample

    241215-s4m3caylfs

  • MD5

    9049faba5517305c44bd5f28398fb6b9

  • SHA1

    036c6b32f3e7d7d689c9b4d482091eebcc669bfa

  • SHA256

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

  • SHA512

    65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

  • SSDEEP

    12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :1E369F70621250158DC152C921EDE3F4299BB986BDB0FDF5592871643E85012D1116E04299B9123920DE3B541AB47FBF1C637A5999CB254F006F786FCDC748677B07A416EAFFF99C3F0FACF26B70905DDA320EEF0D58451A4845A454911246DC2AB0CC9D613CD5A1B73DEFB788084F81BCF4B2463A601D3BD9C10C2DF5CB6E36F3FE4F7B63064D8F8E41DD83FE7ACFC1DDC3BBA3190CAE0E732A029C6D26C18D1B0A8820307FDA04F3F846EBA9D51150475CEA100FBA4F165BE4639AA436ED9683CBBFE20B42D12A93106A9F50D569A2CDE876BC46680812953E5A4E19A189AF35E6934385C1DECB6126C2C658C015D1E860143C251D7A13DF6E8F010159AA9E75097D45A3A454D24BC62C7F2780B2116FD2B5223AD7F0B855FD5A6E11C3D9B19839F0E2AA81D607CDA7F1E7452194A3E476976667233E44290D8056A0B3D802616AEEB8633E77A15DAE6D86EB5E652D76966F2385F2C9CFE6D0AA9A95A7A4BB9A44C78DC4D9D4658B80F4D67BDB7FFC43B0D4D76C71177E0465E2840DDB662C2AF7FD84142997057CEE88FEA292D2B8CAD04008DF27CCB293CCAEDE32095E2443FCEAA16B8AAFD12C629CA75A44CD1F7A27C700B67D4BE1CD2ED2EAAA32B220DA4140D99D0BB6A3E66C4F4EAD5586D05A1D34682C58064B94CB310A905984B8C3368ACF4BD60A83E4569483F04B14ECFFE3CEEC845F4CAF4F384B4C977E32DDB6067FB322DA37C2B0A4605EA03AB6F18E69962258C2E9C837F6537350B85A59833B926044A92FE1B6AC2856B3F6F1D4CA88890069BAC25B86F39EF75779F5D8E606B4294B9787F67E330F96943999EB0BDEBAEC2A65B23626092D70E1A3BD27B35CC3AF0659FEEE0756C30E3F633DC21BDC1F0BA7F986B57F07E7EFF97A418BD8DB966950D5717460249D8A8D2CB10CB94763E5D358F71D0BC39DA41B5F23A9B3DC958698F6D5A8FB0EB9EB548A484BAACCC8809A2A64C3EC0402692A54958A17720913D8C8DF67F983E85AE493B120DA14BF553E1D364A8A6F7F12839AACC46E281E9D444F222CE0DC1927DDE103F47D311D8B9DD5BF374FE811CBAF64D4B4A4C98E2CEEC172AB3EC2A4280EA93588BF93127951D7DA822B9A06685CE136964C23D016A6001C29301D60812F4AD1B23161A7E211CEF90B482AC831ED954977BD083C7AC7F8CEDF6DFE1D9AAEA681260C36213BFE542FCA7748F4EB26310E82A6CD39FFD873C986BED23CC309BB7985A9568059B9F8534A3D3551721D57557EC8A9ED21C3E915A56194989CB7BA113517E6B7B8FAC1DD681AA2E39BA63DB5D26ABE9FE5EFB544EA2BFD89B78D8B07FD6643F9A08AF44669E92EA58993440659C227A285789A1B15A0CB748AA13F172CB48B4997DA9E48B2A2DACCA0DB0CE0F2169C3FA104FEFFAC9AAFCD911B9C75D776C5EEDC0B4C6533FF22D3F067F0ADA34D545694BF0B4421084F78C27FF9AE8A3585CFC4A7D4E37E15262805ED7AC78B8CF7BA656FED3FCC9CA2EA4598AA2B5828352CDB89767E0F3E255428ADE7B16E0A3D996596152CC0A01C8FA4C1DD13CFDD800E701E8F78B5162BAAB58E8A0BF4EC98501A0794E379510B704345A8305BD0BF14C157E767183DC8395A4B0F7699239AC5112F158C382DB19689E427851CD00B6DA280135348EE9B284E58CF853084F77448B2071DD2C2D253B99AE76632AB17F72A150DF2E2F3201790DE6759DF3E125A2E92A4B4E51C0530163533EE806EC1DF297C58B82D591614B25681CF5838E973129E26285FF285D04CFB31C08B41CAA0971C7EAEDF30719E4176AA5F75AE030D5FB2F9A15F4E09E56CB3536FBBA1FF58629B463B50EB1C6B66080AB68C2D75D93C0F94167F25DA64CD2C2DE2F8AB6BF15D7706499160865CDF679B9AB99900977669E5A55CABAC2C041A1C1257CC92CF146D84948323C5825A728A803CE6124273CA0AEC782AA1E71E4C5E4C2CEC8808261D967E26DE664FF72D2292F14F579BFA1A1375A83500264253B16103336D7CA1D694F17AF6CFBE0D8F7313CB461C4F28AC9A9D9EB270368909985286117446D36C8161C851F4F1CD2CE138802B517C2E0AD6AC66B95F564F485A2F752358440824FA72DBF60AFE71C2AC1B781423549D41F0D0D58F3066B6DBDFF30421EA7B6DE395580C258F00F61858FC16491B6B4A3EBC4F8171643E1737AFC09F73FE79F8E7F4BCAD5C660D4D1D4651DC30C24164DD0ECB222C57A6CD8DB815A40BE3D3BF5543416DFED3C3580CECB7BB4FC17F4D3E915F4682C14621CCBBE88C08068BBC1EEDBC27B79E1FBA80857D60F6628F96F9E6F5578B8ACF6FD038E0B40745B1BB5025AAFA15C1CC06B9C0D1C6E9A4A51E2CC9B795C2AEF1

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :56A23C7793EEFDB4627B2F20DD748BA3FA88D2E3A467170DBDC7B7688FC9F430A19BD2005BE5B5E964A3589EC5941CC2B1F6B62291EB997026D39947484D6223248410B08EDC3E05DB18E16B6BDB56AE433470547D91D0AAB1F2853F54C6D0637465E0D567EFBCE05DC00BC17083515767239A792E6E92B80C5D1D56F0335FBA336F7671E37A9BE4A9CE76CCBE7ACADACD54B2D1300BD960B75958142C2CEC558D622D9EE8EEA74986BCF47C9D925D7F349649A0D12A3E41FE5D357B15DD7F3F1204ECA678D28183BFF0110C2FE18B50F01CA4F58788501D170D9BE36AC569CFCC25759213791C108BE08BB1E07CECDE5331F3A56784BEAFFDAE49CD5DF2A93CDC9D216F4CF58D5408C3A218142566038BD30A8C2463519F2052E596A276AFB600B90FFB2815823AEF88AD6FCCAB4F5F81CE292D70437063903D34211490E2022CD4474888017212A49CF226862F3E2DD5D2A74AB1A3803F715C191FAFEAB9FD12B11F4F5249AB2C2FF9DD834443239544341ED24F4DC2B8CC9210BD0C7A5F34B9621CD0FDEAFC0FAAD6D4007E2A0638B22534C6B165BC4C1AA0F2B7943BBDC857C47692912E69DD99AB00EFAF9F55ED9E3187F85CA2AC3C360F5CCDFE8B66C16F05225E06B52174727FA5F5EA78241A40992E18B588019A9F9EECEECF98E69E118456E873A1C2B566937CAF209AE9859ACBD79CB988D923BF8BEB91F12C69D1F27024891E1DBC2CB08128B829882B69B63085D4DBFD2BEAA432B34D8DED6ABCB3FDB49C5755883DFEE646D6B4F59C0FF934B4371088041D36CE74CD9846CB5269D478989D23C5EDC4FCF115B0758E0CD81DCDCDBBC508A4E582B8E873AE625A59E09A7D5C2459DC16E69184983678C25346ED28DE32D5BF9D23FD56038E74088F8791ABABE3885B4107FEECFEF9BF1C7260AAD1557BC1FC52C1B66F459556831854219C24F9E0C9B82499B8F819173520016F41D9D2CC90346C3DE687C3FFF3C9C3DA3C665BB99CAF797B5BC39610773A543FBEE810976AB119C3589BA4C7D229E77CB0F56BC5C39EE0AB2B514ADA03A9C39B10768097A87625035CA431BE05BBB2AF09B87B873ADD0695F43BF703292D8FAD9F811E9DCBBD22D8EE3F5746D494ABA88BB3F581BBECDACEA4183C69F3DF3A4B1C0AF8B8BEA5FF466A7B19F4CBC7F3B0B02D69F35E9F195C017D9EE7E79CC7B1D2ED74EB018BB387C6B4066EA15DA99EAFEE84470CD1B68A7BC3E6EBE9746F0B255D277350EAE39E10B2AD1F4AE8E73CC60525EDEB7612B9AD63C99D2F043FDC475E24FFDC0F4395A69D829788B6096AFB89BE872D7ADBF32C0728091A05707AC763A903ACE4DB3EEC059559D7E9533B51E1C32526471319C1AC638507A00BA5E4AAA3C425761670DF78DD42FF8AB612018142FF37E366C4DEC11C7C825CB5C323B70E3E50B8E750553DEE58C6506DF84A14C69DFD0976D1CE6F7A969F6986CFB305C02C86460ABAAC8716F8286750C736B5512EDD33432673CCA302B818F8225E2B6507207805E1A74C6E82CDC0767950B2F26157A000224951B9D2C8AB7F38CE6C28CB0A5963264DFEDB521F2890324285A445369F76770FAA159CB502B7FA379CBCEE480FCD601AAFDCB723CA26EC48FD54781FCDAB1D52EB973C01427CFF55A63DA9683C33846E0D73EA08DA6E952AC61FAA0FE55C0FF9C9D311368C385BA14BAE7E153941AAB5040B5B00CA5BE203DC974DA4BA400FA11657AF25A9C6D5DAEB13F0351DAFEF2A68D8EBF9907DEB7C08B68B21BB51C97D8684F081BB0CFEE732537BC6E4BAA36F5D0517FCAB45F9AC9F9E37B5A6FAF7F896F7CEABAABB3E62A07C35830EB16B0487466E78284909C59116DC23CAA4E483E0B3D3333325005DEAD6DA54F7984C3053231E9A0A94332C5FC992C8DCC00CC6FD26CB38F3AE6D6C051EAC1A68280E707F3D31F30845BF671CF78B7CFF6585BE70944BD9FAC1388B481D36BCD61794ABD4643ED247E72120DC51237395D05A617B8C0C4FB4068DFD55BD70FDC3D88949E615B0955A76E18442A2064CDBC6235F7DA30118475A2806F9D0E52B7088D9266792934FCBF9BD1130F22CA16DDE5E3CBE7537B3A5CAF606690ED8C56EF9F26DFFB9FC13315AC1715CF640790A5FF220DA4F0C617A0EEB757DF17F3A92BDE626FDA44030C4A48D22AFD6E31E14A446DD701A13A386C5B0ECC2508CD492E31D4FAF07046E9F916AD5560C005F7CE8E1CF2E1B891B8074932ED9A3CA93070A5136DAF7508CFC4F7580F901FB413508C48350188322AD70D5F562F6B2C71276EF57270D064F05DCE54CAFF45C77B7DADAD4A5947FC8EA4F175E54DC3C079C7C53F11DB4BBDFAD26AB271EFD69��i�L�~�

Targets

    • Target

      Gosjeufon.cpl.exe

    • Size

      881KB

    • MD5

      9049faba5517305c44bd5f28398fb6b9

    • SHA1

      036c6b32f3e7d7d689c9b4d482091eebcc669bfa

    • SHA256

      d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

    • SHA512

      65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

    • SSDEEP

      12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

    Score
    10/10
    credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Tasks