Analysis
-
max time kernel
146s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14/06/2022, 23:45
Static task
static1
Behavioral task
behavioral1
Sample
2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe
Resource
win10v2004-20220414-en
General
-
Target
2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe
-
Size
752KB
-
MD5
8bc39d61f41a5c6dfac7ad4dc9e158c6
-
SHA1
1192620ceb20e80fcfdf93ef2b81e5e142d0a4cc
-
SHA256
2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31
-
SHA512
3b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464
Malware Config
Extracted
gozi_ifsb
1000
vachiderk.com
siberponis.com
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 608 ACCTient.exe -
Deletes itself 1 IoCs
pid Process 608 ACCTient.exe -
Loads dropped DLL 1 IoCs
pid Process 1108 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audiedit = "C:\\Users\\Admin\\AppData\\Roaming\\bitsmuid\\ACCTient.exe" 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 608 set thread context of 752 608 ACCTient.exe 31 PID 752 set thread context of 1364 752 svchost.exe 4 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 608 ACCTient.exe 1364 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 608 ACCTient.exe 752 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 0 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe Token: 0 608 ACCTient.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 608 ACCTient.exe 608 ACCTient.exe 608 ACCTient.exe 608 ACCTient.exe 608 ACCTient.exe -
Suspicious use of SendNotifyMessage 10 IoCs
pid Process 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 608 ACCTient.exe 608 ACCTient.exe 608 ACCTient.exe 608 ACCTient.exe 608 ACCTient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1364 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1000 wrote to memory of 1760 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 27 PID 1000 wrote to memory of 1760 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 27 PID 1000 wrote to memory of 1760 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 27 PID 1000 wrote to memory of 1760 1000 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe 27 PID 1760 wrote to memory of 1108 1760 cmd.exe 29 PID 1760 wrote to memory of 1108 1760 cmd.exe 29 PID 1760 wrote to memory of 1108 1760 cmd.exe 29 PID 1760 wrote to memory of 1108 1760 cmd.exe 29 PID 1108 wrote to memory of 608 1108 cmd.exe 30 PID 1108 wrote to memory of 608 1108 cmd.exe 30 PID 1108 wrote to memory of 608 1108 cmd.exe 30 PID 1108 wrote to memory of 608 1108 cmd.exe 30 PID 608 wrote to memory of 752 608 ACCTient.exe 31 PID 608 wrote to memory of 752 608 ACCTient.exe 31 PID 608 wrote to memory of 752 608 ACCTient.exe 31 PID 608 wrote to memory of 752 608 ACCTient.exe 31 PID 608 wrote to memory of 752 608 ACCTient.exe 31 PID 608 wrote to memory of 752 608 ACCTient.exe 31 PID 608 wrote to memory of 752 608 ACCTient.exe 31 PID 752 wrote to memory of 1364 752 svchost.exe 4 PID 752 wrote to memory of 1364 752 svchost.exe 4 PID 752 wrote to memory of 1364 752 svchost.exe 4
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe"C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe"2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\70C0\3860.bat" "C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe"C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:752
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108B
MD59e2c93ce408a9a6956568f14a3d14a83
SHA1daed9ba9422340fc4cc61b4af1f2985f9c80fc0e
SHA2560e5cf374f9ec707505d2bf95e6319a4d774fa8dd016c1431243e482ce722217b
SHA512e3e5ff77897017c2b1376030d5eaf2da0f7ac9e20ba8e7f0f8588cd805ea1039182302b5fbc62326f81ef5d35105e866dd56b8bf045f629431a71bf4571a4cce
-
Filesize
752KB
MD58bc39d61f41a5c6dfac7ad4dc9e158c6
SHA11192620ceb20e80fcfdf93ef2b81e5e142d0a4cc
SHA2562c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31
SHA5123b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464
-
Filesize
752KB
MD58bc39d61f41a5c6dfac7ad4dc9e158c6
SHA11192620ceb20e80fcfdf93ef2b81e5e142d0a4cc
SHA2562c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31
SHA5123b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464
-
Filesize
752KB
MD58bc39d61f41a5c6dfac7ad4dc9e158c6
SHA11192620ceb20e80fcfdf93ef2b81e5e142d0a4cc
SHA2562c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31
SHA5123b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464