Overview

overview

10

Static

static

022fd303fe...2f.exe

windows7_x64

10

022fd303fe...2f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-02-2022 21:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe

  • Size

    99KB

  • MD5

    20abc2fc4ae0ddc631322df67c828c17

  • SHA1

    30fc7b84a438df84624e79d5365d4bd959fb5f72

  • SHA256

    022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f

  • SHA512

    cf311ade900a87903cfb2ea686494fb3a002f3676ffda9f58f18cb53986eb2a3482e86ed3c6609b523a0880550cf416b918b076197027c775b88e8a29079c4a1

Score
10/10
gozi_rm3bankerevasionpersistenceransomwaresuricatatrojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/6938-6B08-A4FB-0006-4649 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/6938-6B08-A4FB-0006-4649

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • suricata: ET MALWARE Ransomware/Cerber Checkin 2

    suricata: ET MALWARE Ransomware/Cerber Checkin 2

    suricata
  • suricata: ET MALWARE Ransomware/Cerber Checkin M3 (7)

    suricata: ET MALWARE Ransomware/Cerber Checkin M3 (7)

    suricata
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe
    "C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
      "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
        "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -stat -1 -wait "SoR6^pjc f!)lyx*wyJPk331@5cuI"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:288
      • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
        "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -watchdog
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1552
      • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
        "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -stat 102
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:1104
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1756
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
          3⤵
            PID:1956
          • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
            "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" -stat 102 -wait "ahK!%B) !X%&_+(nDH36={6_wgd2m"
            3⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
          • C:\Windows\system32\cmd.exe
            /d /c taskkill /t /f /im "mountvol.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe" > NUL
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2432
            • C:\Windows\system32\taskkill.exe
              taskkill /t /f /im "mountvol.exe"
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2468
            • C:\Windows\system32\PING.EXE
              ping -n 1 127.0.0.1
              4⤵
              • Runs ping.exe
              PID:2512
        • C:\Windows\SysWOW64\cmd.exe
          /d /c taskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe" > NUL
          2⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:1688
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /t /f /im "022fd303fe748e12943c578232c28e0fd1efbcad063525e1a6bbc008d6d56d2f.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:320
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 1 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2012
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {875B8A62-F1AC-42CA-9C8D-E8C0714B5A21} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
          C:\Users\Admin\AppData\Roaming\{08569641-0B8C-C7CB-4F6A-A9DDAF6379BC}\mountvol.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:844
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
        1⤵
          PID:2012

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1104-72-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1536-54-0x0000000076071000-0x0000000076073000-memory.dmp

          Filesize

          8KB

          Download