Analysis
-
max time kernel
57s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-06-2022 13:59
Static task
static1
Behavioral task
behavioral1
Sample
1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe
Resource
win10v2004-20220414-en
General
-
Target
1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe
-
Size
388KB
-
MD5
3bfea3a7fa0dd19639673f4c32110fa8
-
SHA1
2a4ec7c4dac2618059c30071ac6b07d41a3bbc2b
-
SHA256
1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402
-
SHA512
05c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Authsvcs.exepid process 1780 Authsvcs.exe -
Deletes itself 1 IoCs
Processes:
Authsvcs.exepid process 1780 Authsvcs.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1408 cmd.exe 1408 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\catsmifw = "C:\\Users\\Admin\\AppData\\Roaming\\cfgbmime\\Authsvcs.exe" 1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Authsvcs.exesvchost.exedescription pid process target process PID 1780 set thread context of 1076 1780 Authsvcs.exe svchost.exe PID 1076 set thread context of 1312 1076 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Authsvcs.exeExplorer.EXEpid process 1780 Authsvcs.exe 1312 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Authsvcs.exesvchost.exepid process 1780 Authsvcs.exe 1076 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.execmd.execmd.exeAuthsvcs.exesvchost.exedescription pid process target process PID 336 wrote to memory of 1304 336 1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe cmd.exe PID 336 wrote to memory of 1304 336 1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe cmd.exe PID 336 wrote to memory of 1304 336 1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe cmd.exe PID 336 wrote to memory of 1304 336 1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe cmd.exe PID 1304 wrote to memory of 1408 1304 cmd.exe cmd.exe PID 1304 wrote to memory of 1408 1304 cmd.exe cmd.exe PID 1304 wrote to memory of 1408 1304 cmd.exe cmd.exe PID 1304 wrote to memory of 1408 1304 cmd.exe cmd.exe PID 1408 wrote to memory of 1780 1408 cmd.exe Authsvcs.exe PID 1408 wrote to memory of 1780 1408 cmd.exe Authsvcs.exe PID 1408 wrote to memory of 1780 1408 cmd.exe Authsvcs.exe PID 1408 wrote to memory of 1780 1408 cmd.exe Authsvcs.exe PID 1780 wrote to memory of 1076 1780 Authsvcs.exe svchost.exe PID 1780 wrote to memory of 1076 1780 Authsvcs.exe svchost.exe PID 1780 wrote to memory of 1076 1780 Authsvcs.exe svchost.exe PID 1780 wrote to memory of 1076 1780 Authsvcs.exe svchost.exe PID 1780 wrote to memory of 1076 1780 Authsvcs.exe svchost.exe PID 1780 wrote to memory of 1076 1780 Authsvcs.exe svchost.exe PID 1780 wrote to memory of 1076 1780 Authsvcs.exe svchost.exe PID 1076 wrote to memory of 1312 1076 svchost.exe Explorer.EXE PID 1076 wrote to memory of 1312 1076 svchost.exe Explorer.EXE PID 1076 wrote to memory of 1312 1076 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe"C:\Users\Admin\AppData\Local\Temp\1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FA58\7D2C.bat" "C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\1FFF95~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\1FFF95~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe"C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\1FFF95~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FA58\7D2C.batFilesize
108B
MD575cb48560dca4c634fc389c44ca7de5b
SHA1d5c51957004c0d408fcb2c5b9f0b3f6918961add
SHA256674e608ea504991a169544487e32e7e60237f758a4869c2442185a0ad7dea3ef
SHA51261ec995e298dae3061e08ac1fc4fe6f2e52c70435959d02133c379b7ae5d8a91b0c3a33c8ebb4971f9eeee34a9a6a1286c1aadfd5841b2fafd84c5168fa8c6fd
-
C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exeFilesize
388KB
MD53bfea3a7fa0dd19639673f4c32110fa8
SHA12a4ec7c4dac2618059c30071ac6b07d41a3bbc2b
SHA2561fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402
SHA51205c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81
-
C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exeFilesize
388KB
MD53bfea3a7fa0dd19639673f4c32110fa8
SHA12a4ec7c4dac2618059c30071ac6b07d41a3bbc2b
SHA2561fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402
SHA51205c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81
-
\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exeFilesize
388KB
MD53bfea3a7fa0dd19639673f4c32110fa8
SHA12a4ec7c4dac2618059c30071ac6b07d41a3bbc2b
SHA2561fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402
SHA51205c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81
-
\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exeFilesize
388KB
MD53bfea3a7fa0dd19639673f4c32110fa8
SHA12a4ec7c4dac2618059c30071ac6b07d41a3bbc2b
SHA2561fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402
SHA51205c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81
-
memory/336-57-0x0000000000220000-0x0000000000250000-memory.dmpFilesize
192KB
-
memory/336-54-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/336-55-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/1076-69-0x0000000000000000-mapping.dmp
-
memory/1076-70-0x0000000000150000-0x00000000001C5000-memory.dmpFilesize
468KB
-
memory/1076-71-0x0000000000150000-0x00000000001C5000-memory.dmpFilesize
468KB
-
memory/1304-58-0x0000000000000000-mapping.dmp
-
memory/1312-72-0x0000000002B00000-0x0000000002B75000-memory.dmpFilesize
468KB
-
memory/1312-73-0x0000000002B00000-0x0000000002B75000-memory.dmpFilesize
468KB
-
memory/1408-60-0x0000000000000000-mapping.dmp
-
memory/1780-64-0x0000000000000000-mapping.dmp
-
memory/1780-67-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB