Analysis
-
max time kernel
139s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12/06/2022, 22:51
Static task
static1
Behavioral task
behavioral1
Sample
1df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9.exe
Resource
win10v2004-20220414-en
General
-
Target
1df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9.exe
-
Size
459KB
-
MD5
ad75aa67ed2a0092901c74856ccf26d8
-
SHA1
2eb24c6044442e90cf309cee62e7acc989e47405
-
SHA256
1df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9
-
SHA512
aa15086950eb5e4aa342a21f3e7b2d684fd151e78f99e6cda920e086591a95cbcb0f1eb1fb4600e7d6562429e120fb8376b3ed8d2b852ec77ae81d330a2563ff
Malware Config
Extracted
gozi_ifsb
-
build
214963
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2028 bidiprov.exe -
Deletes itself 1 IoCs
pid Process 2028 bidiprov.exe -
Loads dropped DLL 1 IoCs
pid Process 2016 cmd.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\actian32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\COLOorui\\bidiprov.exe" 1df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2028 set thread context of 1956 2028 bidiprov.exe 32 PID 1956 set thread context of 1268 1956 svchost.exe 11 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2028 bidiprov.exe 1268 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2028 bidiprov.exe 1956 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1268 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1708 1732 1df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9.exe 29 PID 1732 wrote to memory of 1708 1732 1df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9.exe 29 PID 1732 wrote to memory of 1708 1732 1df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9.exe 29 PID 1732 wrote to memory of 1708 1732 1df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9.exe 29 PID 1708 wrote to memory of 2016 1708 cmd.exe 30 PID 1708 wrote to memory of 2016 1708 cmd.exe 30 PID 1708 wrote to memory of 2016 1708 cmd.exe 30 PID 1708 wrote to memory of 2016 1708 cmd.exe 30 PID 2016 wrote to memory of 2028 2016 cmd.exe 31 PID 2016 wrote to memory of 2028 2016 cmd.exe 31 PID 2016 wrote to memory of 2028 2016 cmd.exe 31 PID 2016 wrote to memory of 2028 2016 cmd.exe 31 PID 2028 wrote to memory of 1956 2028 bidiprov.exe 32 PID 2028 wrote to memory of 1956 2028 bidiprov.exe 32 PID 2028 wrote to memory of 1956 2028 bidiprov.exe 32 PID 2028 wrote to memory of 1956 2028 bidiprov.exe 32 PID 2028 wrote to memory of 1956 2028 bidiprov.exe 32 PID 2028 wrote to memory of 1956 2028 bidiprov.exe 32 PID 2028 wrote to memory of 1956 2028 bidiprov.exe 32 PID 1956 wrote to memory of 1268 1956 svchost.exe 11 PID 1956 wrote to memory of 1268 1956 svchost.exe 11 PID 1956 wrote to memory of 1268 1956 svchost.exe 11 PID 1268 wrote to memory of 1276 1268 Explorer.EXE 33 PID 1268 wrote to memory of 1276 1268 Explorer.EXE 33 PID 1268 wrote to memory of 1276 1268 Explorer.EXE 33 PID 1276 wrote to memory of 1444 1276 cmd.exe 35 PID 1276 wrote to memory of 1444 1276 cmd.exe 35 PID 1276 wrote to memory of 1444 1276 cmd.exe 35 PID 1268 wrote to memory of 1820 1268 Explorer.EXE 36 PID 1268 wrote to memory of 1820 1268 Explorer.EXE 36 PID 1268 wrote to memory of 1820 1268 Explorer.EXE 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\1df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9.exe"C:\Users\Admin\AppData\Local\Temp\1df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\A725\E57A.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\1DF5BB~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\1DF5BB~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe"C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\1DF5BB~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1956
-
-
-
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\7658.bi1"2⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:1444
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\7658.bi1"2⤵PID:1820
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118B
MD5ace7e9f29953c4fbd6a930b50f792079
SHA197511e3438221ac9c30944fca7b91e87978c1248
SHA25658b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8
SHA5125dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106
-
Filesize
118B
MD5ace7e9f29953c4fbd6a930b50f792079
SHA197511e3438221ac9c30944fca7b91e87978c1248
SHA25658b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8
SHA5125dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106
-
Filesize
108B
MD5110540422d22cddcdb1f375643345e28
SHA140ba44d9f9e35c1d25e6339df64bd543da66bfc0
SHA25631767e8cb3742bf5126022eb9a713e2e91131ee909ec7713d92fb5930abac3c2
SHA5126871e1ebbfed20969f6bfd73f3ba65f01843c18811399f31188010a357cb5a666696a181130b37c50821acb6ed37837cbe76dde49294c2368d7787b3eb45e036
-
Filesize
459KB
MD5ad75aa67ed2a0092901c74856ccf26d8
SHA12eb24c6044442e90cf309cee62e7acc989e47405
SHA2561df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9
SHA512aa15086950eb5e4aa342a21f3e7b2d684fd151e78f99e6cda920e086591a95cbcb0f1eb1fb4600e7d6562429e120fb8376b3ed8d2b852ec77ae81d330a2563ff
-
Filesize
459KB
MD5ad75aa67ed2a0092901c74856ccf26d8
SHA12eb24c6044442e90cf309cee62e7acc989e47405
SHA2561df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9
SHA512aa15086950eb5e4aa342a21f3e7b2d684fd151e78f99e6cda920e086591a95cbcb0f1eb1fb4600e7d6562429e120fb8376b3ed8d2b852ec77ae81d330a2563ff
-
Filesize
459KB
MD5ad75aa67ed2a0092901c74856ccf26d8
SHA12eb24c6044442e90cf309cee62e7acc989e47405
SHA2561df5bbc1cff3a247d6c3c11980b0118986e74e17e7f3836b3dea87e6f09545e9
SHA512aa15086950eb5e4aa342a21f3e7b2d684fd151e78f99e6cda920e086591a95cbcb0f1eb1fb4600e7d6562429e120fb8376b3ed8d2b852ec77ae81d330a2563ff