Overview

overview

10

Static

static

1

Gosjeufon.cpl.exe

windows7-x64

10

Gosjeufon.cpl.exe

windows10-2004-x64

10

Resubmissions

15-12-2024 15:40

241215-s4m3caylfs 10

14-12-2024 13:26

241214-qphg7stkay 10

Analysis

  • max time kernel
    25s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Gosjeufon.cpl.exe

  • Size

    881KB

  • MD5

    9049faba5517305c44bd5f28398fb6b9

  • SHA1

    036c6b32f3e7d7d689c9b4d482091eebcc669bfa

  • SHA256

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

  • SHA512

    65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

  • SSDEEP

    12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :1E369F70621250158DC152C921EDE3F4299BB986BDB0FDF5592871643E85012D1116E04299B9123920DE3B541AB47FBF1C637A5999CB254F006F786FCDC748677B07A416EAFFF99C3F0FACF26B70905DDA320EEF0D58451A4845A454911246DC2AB0CC9D613CD5A1B73DEFB788084F81BCF4B2463A601D3BD9C10C2DF5CB6E36F3FE4F7B63064D8F8E41DD83FE7ACFC1DDC3BBA3190CAE0E732A029C6D26C18D1B0A8820307FDA04F3F846EBA9D51150475CEA100FBA4F165BE4639AA436ED9683CBBFE20B42D12A93106A9F50D569A2CDE876BC46680812953E5A4E19A189AF35E6934385C1DECB6126C2C658C015D1E860143C251D7A13DF6E8F010159AA9E75097D45A3A454D24BC62C7F2780B2116FD2B5223AD7F0B855FD5A6E11C3D9B19839F0E2AA81D607CDA7F1E7452194A3E476976667233E44290D8056A0B3D802616AEEB8633E77A15DAE6D86EB5E652D76966F2385F2C9CFE6D0AA9A95A7A4BB9A44C78DC4D9D4658B80F4D67BDB7FFC43B0D4D76C71177E0465E2840DDB662C2AF7FD84142997057CEE88FEA292D2B8CAD04008DF27CCB293CCAEDE32095E2443FCEAA16B8AAFD12C629CA75A44CD1F7A27C700B67D4BE1CD2ED2EAAA32B220DA4140D99D0BB6A3E66C4F4EAD5586D05A1D34682C58064B94CB310A905984B8C3368ACF4BD60A83E4569483F04B14ECFFE3CEEC845F4CAF4F384B4C977E32DDB6067FB322DA37C2B0A4605EA03AB6F18E69962258C2E9C837F6537350B85A59833B926044A92FE1B6AC2856B3F6F1D4CA88890069BAC25B86F39EF75779F5D8E606B4294B9787F67E330F96943999EB0BDEBAEC2A65B23626092D70E1A3BD27B35CC3AF0659FEEE0756C30E3F633DC21BDC1F0BA7F986B57F07E7EFF97A418BD8DB966950D5717460249D8A8D2CB10CB94763E5D358F71D0BC39DA41B5F23A9B3DC958698F6D5A8FB0EB9EB548A484BAACCC8809A2A64C3EC0402692A54958A17720913D8C8DF67F983E85AE493B120DA14BF553E1D364A8A6F7F12839AACC46E281E9D444F222CE0DC1927DDE103F47D311D8B9DD5BF374FE811CBAF64D4B4A4C98E2CEEC172AB3EC2A4280EA93588BF93127951D7DA822B9A06685CE136964C23D016A6001C29301D60812F4AD1B23161A7E211CEF90B482AC831ED954977BD083C7AC7F8CEDF6DFE1D9AAEA681260C36213BFE542FCA7748F4EB26310E82A6CD39FFD873C986BED23CC309BB7985A9568059B9F8534A3D3551721D57557EC8A9ED21C3E915A56194989CB7BA113517E6B7B8FAC1DD681AA2E39BA63DB5D26ABE9FE5EFB544EA2BFD89B78D8B07FD6643F9A08AF44669E92EA58993440659C227A285789A1B15A0CB748AA13F172CB48B4997DA9E48B2A2DACCA0DB0CE0F2169C3FA104FEFFAC9AAFCD911B9C75D776C5EEDC0B4C6533FF22D3F067F0ADA34D545694BF0B4421084F78C27FF9AE8A3585CFC4A7D4E37E15262805ED7AC78B8CF7BA656FED3FCC9CA2EA4598AA2B5828352CDB89767E0F3E255428ADE7B16E0A3D996596152CC0A01C8FA4C1DD13CFDD800E701E8F78B5162BAAB58E8A0BF4EC98501A0794E379510B704345A8305BD0BF14C157E767183DC8395A4B0F7699239AC5112F158C382DB19689E427851CD00B6DA280135348EE9B284E58CF853084F77448B2071DD2C2D253B99AE76632AB17F72A150DF2E2F3201790DE6759DF3E125A2E92A4B4E51C0530163533EE806EC1DF297C58B82D591614B25681CF5838E973129E26285FF285D04CFB31C08B41CAA0971C7EAEDF30719E4176AA5F75AE030D5FB2F9A15F4E09E56CB3536FBBA1FF58629B463B50EB1C6B66080AB68C2D75D93C0F94167F25DA64CD2C2DE2F8AB6BF15D7706499160865CDF679B9AB99900977669E5A55CABAC2C041A1C1257CC92CF146D84948323C5825A728A803CE6124273CA0AEC782AA1E71E4C5E4C2CEC8808261D967E26DE664FF72D2292F14F579BFA1A1375A83500264253B16103336D7CA1D694F17AF6CFBE0D8F7313CB461C4F28AC9A9D9EB270368909985286117446D36C8161C851F4F1CD2CE138802B517C2E0AD6AC66B95F564F485A2F752358440824FA72DBF60AFE71C2AC1B781423549D41F0D0D58F3066B6DBDFF30421EA7B6DE395580C258F00F61858FC16491B6B4A3EBC4F8171643E1737AFC09F73FE79F8E7F4BCAD5C660D4D1D4651DC30C24164DD0ECB222C57A6CD8DB815A40BE3D3BF5543416DFED3C3580CECB7BB4FC17F4D3E915F4682C14621CCBBE88C08068BBC1EEDBC27B79E1FBA80857D60F6628F96F9E6F5578B8ACF6FD038E0B40745B1BB5025AAFA15C1CC06B9C0D1C6E9A4A51E2CC9B795C2AEF1

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 10 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe
    "C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2980
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\gvLepO\gvLe\..\..\Windows\gvLe\gvLe\..\..\system32\gvLe\gvLe\..\..\wbem\gvLe\gvLep\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2228
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\rsqmgv\rsqm\..\..\Windows\rsqm\rsqm\..\..\system32\rsqm\rsqm\..\..\wbem\rsqm\rsqmg\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Gosjeufon.cpl.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2732
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2896
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2420
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Decryptfiles.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1740

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    1
    T1112

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Remote System Discovery

    1
    T1018

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Inhibit System Recovery

    1
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt
      Filesize

      4KB

      MD5

      173f657c13a3442ce3462ae8a7f7d9aa

      SHA1

      f69407cd29caac9b55484431af5c0d41750a7390

      SHA256

      31e0385d169674cdbe17a60de09c29fa837ee7f6cf5e5d601d304cc8c5b3a414

      SHA512

      ea8b4d12f7dcd0a2859906630a90f780573e988a680320983f27fc587bfe8f4934205fa09448b0c8bc2d96456e5b7e1fed3260e73ec6924db3a472f3c68e06cf

      Download Submit