Analysis
-
max time kernel
60s -
max time network
105s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12/06/2022, 21:28
Static task
static1
Behavioral task
behavioral1
Sample
1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe
Resource
win10v2004-20220414-en
General
-
Target
1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe
-
Size
482KB
-
MD5
f7f9c6d6ca43fe06303cc2dbd0456742
-
SHA1
2d505875b4e120306259a11dc9f7e4f24030dbc2
-
SHA256
1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d
-
SHA512
74bafab7303ee85c1e76d82ee27e86ad6df6bbbbca56ffd6f868260c3fc40feeb7152641e12b0c4841633601b818109c7a4c6792570998404dbc8c50255712d1
Malware Config
Extracted
gozi_ifsb
-
build
214963
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1136 bridkmon.exe -
Deletes itself 1 IoCs
pid Process 1136 bridkmon.exe -
Loads dropped DLL 1 IoCs
pid Process 1916 cmd.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\certhell = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Authput8\\bridkmon.exe" 1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1136 set thread context of 1176 1136 bridkmon.exe 31 PID 1176 set thread context of 1396 1176 svchost.exe 15 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1136 bridkmon.exe 1396 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1136 bridkmon.exe 1176 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1120 wrote to memory of 1912 1120 1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe 27 PID 1120 wrote to memory of 1912 1120 1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe 27 PID 1120 wrote to memory of 1912 1120 1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe 27 PID 1120 wrote to memory of 1912 1120 1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe 27 PID 1912 wrote to memory of 1916 1912 cmd.exe 29 PID 1912 wrote to memory of 1916 1912 cmd.exe 29 PID 1912 wrote to memory of 1916 1912 cmd.exe 29 PID 1912 wrote to memory of 1916 1912 cmd.exe 29 PID 1916 wrote to memory of 1136 1916 cmd.exe 30 PID 1916 wrote to memory of 1136 1916 cmd.exe 30 PID 1916 wrote to memory of 1136 1916 cmd.exe 30 PID 1916 wrote to memory of 1136 1916 cmd.exe 30 PID 1136 wrote to memory of 1176 1136 bridkmon.exe 31 PID 1136 wrote to memory of 1176 1136 bridkmon.exe 31 PID 1136 wrote to memory of 1176 1136 bridkmon.exe 31 PID 1136 wrote to memory of 1176 1136 bridkmon.exe 31 PID 1136 wrote to memory of 1176 1136 bridkmon.exe 31 PID 1136 wrote to memory of 1176 1136 bridkmon.exe 31 PID 1136 wrote to memory of 1176 1136 bridkmon.exe 31 PID 1176 wrote to memory of 1396 1176 svchost.exe 15 PID 1176 wrote to memory of 1396 1176 svchost.exe 15 PID 1176 wrote to memory of 1396 1176 svchost.exe 15 PID 1396 wrote to memory of 860 1396 Explorer.EXE 32 PID 1396 wrote to memory of 860 1396 Explorer.EXE 32 PID 1396 wrote to memory of 860 1396 Explorer.EXE 32 PID 860 wrote to memory of 1432 860 cmd.exe 34 PID 860 wrote to memory of 1432 860 cmd.exe 34 PID 860 wrote to memory of 1432 860 cmd.exe 34 PID 1396 wrote to memory of 2012 1396 Explorer.EXE 35 PID 1396 wrote to memory of 2012 1396 Explorer.EXE 35 PID 1396 wrote to memory of 2012 1396 Explorer.EXE 35
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe"C:\Users\Admin\AppData\Local\Temp\1e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A9C7\31.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe" "C:\Users\Admin\AppData\Local\Temp\1E53C0~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe" "C:\Users\Admin\AppData\Local\Temp\1E53C0~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe"C:\Users\Admin\AppData\Roaming\MICROS~1\Authput8\bridkmon.exe" "C:\Users\Admin\AppData\Local\Temp\1E53C0~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1176
-
-
-
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\4238.bi1"2⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:1432
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4238.bi1"2⤵PID:2012
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
Filesize
108B
MD5a2cdddf0459419c710893342557b2775
SHA1eb554d1a1eae3e2e7ac32cb66fced75cf956acda
SHA256279230c2875214f4ad47a51c9e3eeb45d68241e0a68e172382782ab887d9dcde
SHA51218215821f37297376f2e9208ffc63afe4bcb1c91a46c94d955a2b6576722aa040a7a168fc31d4d2e0484b9103c3fcde388ce8295c8ad13c028f11c890da9cad6
-
Filesize
482KB
MD5f7f9c6d6ca43fe06303cc2dbd0456742
SHA12d505875b4e120306259a11dc9f7e4f24030dbc2
SHA2561e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d
SHA51274bafab7303ee85c1e76d82ee27e86ad6df6bbbbca56ffd6f868260c3fc40feeb7152641e12b0c4841633601b818109c7a4c6792570998404dbc8c50255712d1
-
Filesize
482KB
MD5f7f9c6d6ca43fe06303cc2dbd0456742
SHA12d505875b4e120306259a11dc9f7e4f24030dbc2
SHA2561e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d
SHA51274bafab7303ee85c1e76d82ee27e86ad6df6bbbbca56ffd6f868260c3fc40feeb7152641e12b0c4841633601b818109c7a4c6792570998404dbc8c50255712d1
-
Filesize
482KB
MD5f7f9c6d6ca43fe06303cc2dbd0456742
SHA12d505875b4e120306259a11dc9f7e4f24030dbc2
SHA2561e53c04cd46f339b05a6997303f5befc4efc0de76875abe0180fc27d7fe7322d
SHA51274bafab7303ee85c1e76d82ee27e86ad6df6bbbbca56ffd6f868260c3fc40feeb7152641e12b0c4841633601b818109c7a4c6792570998404dbc8c50255712d1