56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c

General

Target

56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
Size

206KB
MD5

7df850b43f3f28a67b8160c4265bc726
SHA1

522377eced5e1694d36e45da75037d87e84b3729
SHA256

56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c
SHA512

c6bb2271a794da8a7b5ac6f7e634f1d4173dbaa54fbc778dd29651fc99a5096b974f3bdd0c28775392760f8253bdb55ff7303a33915525ccd0d6a4f52d526225

Score

10^/10

ransomware

Malware Config

Extracted

Path

\??\c:\GOMER-README.txt

Ransom Note

! ATTENTION ! -------------------------------------------------------------------------------------------- ! STRICTLY FORBIDDEN TO USE THIRD-PARTY DECRYPTION SOFTWARE - FILES WILL BE LOST ! -------------------------------------------------------------------------------------------- Due vulnerability in your system all files have been protected with strong private key to safe them from unathorized access. To RESTORE your files, follow this instructions: 1. Gomer service charges a payment for file decryption tool 2. Contact us with attached Gomer-readme.txt 3. Receive Gomer file decryption tool 4. Run the tool and successfully RESTORE all your files! We guarantee: 100% Successful restoring all of your files 100% Satisfaction guarantee 100% Fast and secure service As a proof of our trusted service, you can send us 1 file and get it decrypted for free! -------------------------------------------------------------------------------------------- ! ONLY ORIGINAL GOMER DECRYPTION TOOL CAN RESTORE YOUR FILES ! -------------------------------------------------------------------------------------------- Contacts: support-gomer@pm.me Payments accepted: Bitcoin (BTC) ID KEY: gMWCXd52gagzYTakkupc2dqCy0xNvLiodz+1yw8fJ714F8MXpsFOM/mp6oqJJjLs 3bdTk/VPXtQ0vRVZtvF9w9a+zdn0UdgS3Axw18epdH0qaNxNmTh9BxOLts02C08b 1qWCyoq09LluA2HJi4Y8UPWDM2Rj4iCRVHWqHoM8HEQ= ~ GOMER ~ fZMyUwYEw1gbCXY2/a/Mzg==

Emails

support-gomer@pm.me

Signatures

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

NOTEPAD.EXE

pid process

2028 NOTEPAD.EXE

pid	process
2028	NOTEPAD.EXE

Modifies registry class 3 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1604 NOTEPAD.EXE

pid	process
1604	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.execmd.exerundll32.exe

description	pid	process	target process
PID 1496 wrote to memory of 1820	1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe	cmd.exe
PID 1496 wrote to memory of 1820	1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe	cmd.exe
PID 1496 wrote to memory of 1820	1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe	cmd.exe
PID 1496 wrote to memory of 1820	1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe	cmd.exe
PID 1496 wrote to memory of 1964	1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe	cmd.exe
PID 1496 wrote to memory of 1964	1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe	cmd.exe
PID 1496 wrote to memory of 1964	1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe	cmd.exe
PID 1496 wrote to memory of 1964	1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe	cmd.exe
PID 1964 wrote to memory of 1988	1964	cmd.exe	PING.EXE
PID 1964 wrote to memory of 1988	1964	cmd.exe	PING.EXE
PID 1964 wrote to memory of 1988	1964	cmd.exe	PING.EXE
PID 1964 wrote to memory of 1988	1964	cmd.exe	PING.EXE
PID 1976 wrote to memory of 1604	1976	rundll32.exe	NOTEPAD.EXE
PID 1976 wrote to memory of 1604	1976	rundll32.exe	NOTEPAD.EXE
PID 1976 wrote to memory of 1604	1976	rundll32.exe	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe

pid	process
1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
1496	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1964 cmd.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

1976 rundll32.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1988 PING.EXE

pid	process
1964	cmd.exe

pid	process
1976	rundll32.exe

pid	process
1988	PING.EXE

Drops file in Program Files directory 7697 IoCs

Processes:

56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01169_.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SWEST_01.MID	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL012.XML	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\GOMER-README.txt	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL108.XML	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Beige.css	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\GOMER-README.txt	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\GOMER-README.txt	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00197_.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\CompleteResize.pub	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00092_.GIF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0157191.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0199661.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15020_.GIF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\PublicFunctions.js	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Apothecary.thmx	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Response.gif	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285808.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SY00788_.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00096_.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107708.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00693_.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Budapest	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\IPIRM.XML	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\ACCWIZ\UTILITY.ACCDA	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\LABELHM.POC	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0106208.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0199609.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15275_.GIF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Kiev	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00531_.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\GOMER-README.txt	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287408.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santarem	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_ON.GIF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\CLASSIC2.WMF	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe

Drops desktop.ini file(s) 21 IoCs

Processes:

56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe

C:\Users\Admin\AppData\Local\Temp\56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe
"C:\Users\Admin\AppData\Local\Temp\56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Drops desktop.ini file(s)
PID:1496

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rd /q /s "%systemdrive%\$Recycle.bin"
2⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\56b483bc7bf3708d49c6d326dc36e3b350aa431028ea05e7f1e7fd63177fb19c.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
PID:1964

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:1988

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\GOMER-README.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:2028

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1608

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\Files.docx.gomer
1⤵
- Modifies registry class
PID:1860

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\RestoreUnprotect.txt.gomer
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
- Suspicious behavior: GetForegroundWindowSpam
PID:1976

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\RestoreUnprotect.txt.gomer
2⤵
- Opens file in notepad (likely ransom note)
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\GOMER-README.txt

Download Submit
C:\Users\Admin\Documents\RestoreUnprotect.txt.gomer

Download Submit
memory/1496-6-0x0000000003720000-0x0000000003731000-memory.dmp

Filesize
68KB

Download
memory/1496-4-0x0000000003720000-0x0000000003731000-memory.dmp

Filesize
68KB

Download
memory/1496-3-0x0000000003310000-0x0000000003321000-memory.dmp

Filesize
68KB

Download
memory/1496-5-0x0000000003310000-0x0000000003321000-memory.dmp

Filesize
68KB

Download
memory/1496-7-0x0000000003310000-0x0000000003321000-memory.dmp

Filesize
68KB

Download
memory/1496-8-0x0000000003720000-0x0000000003731000-memory.dmp

Filesize
68KB

Download
memory/1496-10-0x0000000003720000-0x0000000003731000-memory.dmp

Filesize
68KB

Download
memory/1496-1-0x0000000003010000-0x0000000003021000-memory.dmp

Filesize
68KB

Download
memory/1496-2-0x0000000003420000-0x0000000003431000-memory.dmp

Filesize
68KB

Download
memory/1604-14-0x0000000000000000-mapping.dmp

Download
memory/1820-0-0x0000000000000000-mapping.dmp

Download
memory/1964-11-0x0000000000000000-mapping.dmp

Download
memory/1988-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads