Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-06-2022 03:46
Static task
static1
Behavioral task
behavioral1
Sample
1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe
Resource
win10v2004-20220414-en
General
-
Target
1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe
-
Size
388KB
-
MD5
0bb4c690fe90c499275a1b268b5ff0eb
-
SHA1
4308d202a1f308db17e6a5b1eda83aa18aa45ece
-
SHA256
1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a
-
SHA512
9b01f020cc2899eb10353072359d343e6b81df1fbea6f6f2d5b138c039a1d9b160da814aaf194fae9561c35550724b1623b086282846d31da9b8dfb89fe83074
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Audirvps.exepid process 4224 Audirvps.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Clipmlua = "C:\\Users\\Admin\\AppData\\Roaming\\AppMtngc\\Audirvps.exe" 1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4168 4224 WerFault.exe Audirvps.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Audirvps.exepid process 4224 Audirvps.exe 4224 Audirvps.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.execmd.execmd.exeAudirvps.exedescription pid process target process PID 4116 wrote to memory of 3744 4116 1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe cmd.exe PID 4116 wrote to memory of 3744 4116 1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe cmd.exe PID 4116 wrote to memory of 3744 4116 1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe cmd.exe PID 3744 wrote to memory of 4632 3744 cmd.exe cmd.exe PID 3744 wrote to memory of 4632 3744 cmd.exe cmd.exe PID 3744 wrote to memory of 4632 3744 cmd.exe cmd.exe PID 4632 wrote to memory of 4224 4632 cmd.exe Audirvps.exe PID 4632 wrote to memory of 4224 4632 cmd.exe Audirvps.exe PID 4632 wrote to memory of 4224 4632 cmd.exe Audirvps.exe PID 4224 wrote to memory of 4220 4224 Audirvps.exe svchost.exe PID 4224 wrote to memory of 4220 4224 Audirvps.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe"C:\Users\Admin\AppData\Local\Temp\1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E018\10.bat" "C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1D63B5~1.EXE""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1D63B5~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe"C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1D63B5~1.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 5725⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4224 -ip 42241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\E018\10.batFilesize
112B
MD52e10604859d57e00c294694ab833784e
SHA12c32e6b046d2ca8a7831f46fa3711b87dff6aa3d
SHA256cf6049aa850101e6f006a26f381a725172c4968ca2748acfd68636fe5847c634
SHA512adfbd0df917d89b5e58e01e1434e63e9ab4b1a67454cad0bad7ea5e1154d30fd235af91bc3ccce3ef5df37714391cb9c041f7d4f524ab47d0b773e7d09d73703
-
C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exeFilesize
388KB
MD50bb4c690fe90c499275a1b268b5ff0eb
SHA14308d202a1f308db17e6a5b1eda83aa18aa45ece
SHA2561d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a
SHA5129b01f020cc2899eb10353072359d343e6b81df1fbea6f6f2d5b138c039a1d9b160da814aaf194fae9561c35550724b1623b086282846d31da9b8dfb89fe83074
-
C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exeFilesize
388KB
MD50bb4c690fe90c499275a1b268b5ff0eb
SHA14308d202a1f308db17e6a5b1eda83aa18aa45ece
SHA2561d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a
SHA5129b01f020cc2899eb10353072359d343e6b81df1fbea6f6f2d5b138c039a1d9b160da814aaf194fae9561c35550724b1623b086282846d31da9b8dfb89fe83074
-
memory/3744-133-0x0000000000000000-mapping.dmp
-
memory/4116-130-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/4116-132-0x00000000021B0000-0x00000000021E0000-memory.dmpFilesize
192KB
-
memory/4224-136-0x0000000000000000-mapping.dmp
-
memory/4224-139-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/4224-141-0x00000000004F0000-0x0000000000520000-memory.dmpFilesize
192KB
-
memory/4632-135-0x0000000000000000-mapping.dmp