Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
09-06-2022 08:47
Static task
static1
Behavioral task
behavioral1
Sample
1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.exe
Resource
win10v2004-20220414-en
General
-
Target
1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.exe
-
Size
493KB
-
MD5
6c7e410f44893d5274d311126f2c70f6
-
SHA1
f057ffd3ef87238b2a99df772832a9468cbe5d68
-
SHA256
1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98
-
SHA512
f248792d2a9ebfb978c5acf8512849c77d0776707be5a568a0cafc00b212dcee6c67de161fa292575b26a82f14c7253be454d9e68f21f0425c41c7f460772a38
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
amxredit.exepid process 1660 amxredit.exe -
Deletes itself 1 IoCs
Processes:
amxredit.exepid process 1660 amxredit.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1228 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audial32 = "C:\\Users\\Admin\\AppData\\Roaming\\Audiient\\amxredit.exe" 1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
amxredit.exesvchost.exedescription pid process target process PID 1660 set thread context of 2032 1660 amxredit.exe svchost.exe PID 2032 set thread context of 1208 2032 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
amxredit.exeExplorer.EXEpid process 1660 amxredit.exe 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
amxredit.exesvchost.exepid process 1660 amxredit.exe 2032 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.execmd.execmd.exeamxredit.exesvchost.exedescription pid process target process PID 632 wrote to memory of 1948 632 1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.exe cmd.exe PID 632 wrote to memory of 1948 632 1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.exe cmd.exe PID 632 wrote to memory of 1948 632 1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.exe cmd.exe PID 632 wrote to memory of 1948 632 1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.exe cmd.exe PID 1948 wrote to memory of 1228 1948 cmd.exe cmd.exe PID 1948 wrote to memory of 1228 1948 cmd.exe cmd.exe PID 1948 wrote to memory of 1228 1948 cmd.exe cmd.exe PID 1948 wrote to memory of 1228 1948 cmd.exe cmd.exe PID 1228 wrote to memory of 1660 1228 cmd.exe amxredit.exe PID 1228 wrote to memory of 1660 1228 cmd.exe amxredit.exe PID 1228 wrote to memory of 1660 1228 cmd.exe amxredit.exe PID 1228 wrote to memory of 1660 1228 cmd.exe amxredit.exe PID 1660 wrote to memory of 2032 1660 amxredit.exe svchost.exe PID 1660 wrote to memory of 2032 1660 amxredit.exe svchost.exe PID 1660 wrote to memory of 2032 1660 amxredit.exe svchost.exe PID 1660 wrote to memory of 2032 1660 amxredit.exe svchost.exe PID 1660 wrote to memory of 2032 1660 amxredit.exe svchost.exe PID 1660 wrote to memory of 2032 1660 amxredit.exe svchost.exe PID 1660 wrote to memory of 2032 1660 amxredit.exe svchost.exe PID 2032 wrote to memory of 1208 2032 svchost.exe Explorer.EXE PID 2032 wrote to memory of 1208 2032 svchost.exe Explorer.EXE PID 2032 wrote to memory of 1208 2032 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.exe"C:\Users\Admin\AppData\Local\Temp\1506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4A1E\250F.bat" "C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\150623~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\150623~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe"C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\150623~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4A1E\250F.batFilesize
108B
MD585a1ceca6c419c2392fa84ac5b9a2446
SHA13cd4ae8c77fa723baced061a4f3f6ad841e1db2a
SHA256160ccf62ce5ad9567b0a097d68766c433fa444e51beab4761bf3ea1b3dd7c235
SHA512fbcea2df3462b21ee193ac36a641f8ed38e4ccf8bf0b869ee5cc0fea942d3dd4af6b6cc672f885b52c29475529ae9dd694072565d503a4230d7d21f20167e6c0
-
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exeFilesize
493KB
MD56c7e410f44893d5274d311126f2c70f6
SHA1f057ffd3ef87238b2a99df772832a9468cbe5d68
SHA2561506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98
SHA512f248792d2a9ebfb978c5acf8512849c77d0776707be5a568a0cafc00b212dcee6c67de161fa292575b26a82f14c7253be454d9e68f21f0425c41c7f460772a38
-
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exeFilesize
493KB
MD56c7e410f44893d5274d311126f2c70f6
SHA1f057ffd3ef87238b2a99df772832a9468cbe5d68
SHA2561506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98
SHA512f248792d2a9ebfb978c5acf8512849c77d0776707be5a568a0cafc00b212dcee6c67de161fa292575b26a82f14c7253be454d9e68f21f0425c41c7f460772a38
-
\Users\Admin\AppData\Roaming\Audiient\amxredit.exeFilesize
493KB
MD56c7e410f44893d5274d311126f2c70f6
SHA1f057ffd3ef87238b2a99df772832a9468cbe5d68
SHA2561506235ef20de5e302756790a06e84aba843ef488af220956041a154a0901e98
SHA512f248792d2a9ebfb978c5acf8512849c77d0776707be5a568a0cafc00b212dcee6c67de161fa292575b26a82f14c7253be454d9e68f21f0425c41c7f460772a38
-
memory/632-55-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/632-57-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/632-54-0x0000000075391000-0x0000000075393000-memory.dmpFilesize
8KB
-
memory/1208-71-0x0000000002AD0000-0x0000000002B45000-memory.dmpFilesize
468KB
-
memory/1208-72-0x0000000002AD0000-0x0000000002B45000-memory.dmpFilesize
468KB
-
memory/1228-60-0x0000000000000000-mapping.dmp
-
memory/1660-63-0x0000000000000000-mapping.dmp
-
memory/1660-68-0x00000000001C0000-0x00000000001F0000-memory.dmpFilesize
192KB
-
memory/1660-66-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1948-58-0x0000000000000000-mapping.dmp
-
memory/2032-69-0x0000000000000000-mapping.dmp
-
memory/2032-70-0x00000000003D0000-0x0000000000445000-memory.dmpFilesize
468KB