Analysis Overview
SHA256
2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31
Threat Level: Known bad
The file 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31 was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Executes dropped EXE
Deletes itself
Loads dropped DLL
Checks computer location settings
Accesses Microsoft Outlook accounts
Adds Run key to start application
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Enumerates processes with tasklist
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
outlook_office_path
Runs net.exe
Discovers systems in the same network
Gathers system information
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-14 23:45
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-14 23:45
Reported
2022-06-15 03:33
Platform
win10v2004-20220414-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Gozi, Gozi IFSB
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Explorer.EXE | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook | C:\Windows\Explorer.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\Explorer.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Explorer.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Explorer.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\Explorer.EXE | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\Explorer.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcWioker = "C:\\Users\\Admin\\AppData\\Roaming\\Addrdlet\\Actipi32.exe" | C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 236 set thread context of 1500 | N/A | C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe | C:\Windows\system32\svchost.exe |
| PID 1500 set thread context of 2996 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe | N/A |
| Token: 0 | N/A | C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Explorer.EXE | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Explorer.EXE | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe
"C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8C42\4621.bat" "C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE""
C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE""
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
"C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\8218.bin1 > C:\Users\Admin\AppData\Local\Temp\8218.bin & del C:\Users\Admin\AppData\Local\Temp\8218.bin1"
C:\Windows\system32\makecab.exe
makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\D265.bin"
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.140:80 | tcp | |
| NL | 52.109.88.35:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 20.42.65.84:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | vachiderk.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
Files
memory/3152-130-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/3152-132-0x00000000022A0000-0x00000000022C0000-memory.dmp
memory/4076-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8C42\4621.bat
| MD5 | 93d118118810cff1584a112fa4086fe5 |
| SHA1 | d219d8fb69639b464ddbe73cbcd3b9ed6fb6ba40 |
| SHA256 | 1cdae7d4d4cca1ddbdafabaf0a199b49421ce7c9798684208882113de858f1d9 |
| SHA512 | 29aa24286eda22f861f49d3372689b6edd4b6f84ca7afa47a498f73df20906d8951675988347bef03797f56f4936ea7adcfa2380aee93eb49fcbffae0ee94ece |
memory/3780-135-0x0000000000000000-mapping.dmp
memory/236-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
| MD5 | 8bc39d61f41a5c6dfac7ad4dc9e158c6 |
| SHA1 | 1192620ceb20e80fcfdf93ef2b81e5e142d0a4cc |
| SHA256 | 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31 |
| SHA512 | 3b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464 |
memory/1500-140-0x0000000000000000-mapping.dmp
memory/1500-141-0x00000000000A0000-0x00000000001D1000-memory.dmp
memory/2996-142-0x0000000007BC0000-0x0000000007CF1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
| MD5 | 8bc39d61f41a5c6dfac7ad4dc9e158c6 |
| SHA1 | 1192620ceb20e80fcfdf93ef2b81e5e142d0a4cc |
| SHA256 | 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31 |
| SHA512 | 3b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464 |
memory/2996-144-0x0000000007BC0000-0x0000000007CF1000-memory.dmp
memory/4800-145-0x0000000000000000-mapping.dmp
memory/1596-146-0x0000000000000000-mapping.dmp
memory/4884-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8218.bin1
| MD5 | d98f59834dccc66309ced19ad44f311d |
| SHA1 | 9e1c8bdf6db391f25980f80f8e96838789c34570 |
| SHA256 | 1686e3f47744baca25b6b3d2280ddd7e5e55e66edc733cecad968eee50c20f3c |
| SHA512 | c0aa2344a041da9e04a5cdb84a157cf8e6544def179f21b266bf219a77fafbe8bbd09442bf8f577288ed11b8c94c2ddffa82801e2b6a9eaad32d70e8069a01bd |
memory/1100-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8218.bin1
| MD5 | d98f59834dccc66309ced19ad44f311d |
| SHA1 | 9e1c8bdf6db391f25980f80f8e96838789c34570 |
| SHA256 | 1686e3f47744baca25b6b3d2280ddd7e5e55e66edc733cecad968eee50c20f3c |
| SHA512 | c0aa2344a041da9e04a5cdb84a157cf8e6544def179f21b266bf219a77fafbe8bbd09442bf8f577288ed11b8c94c2ddffa82801e2b6a9eaad32d70e8069a01bd |
memory/1952-151-0x0000000000000000-mapping.dmp
memory/2932-152-0x0000000000000000-mapping.dmp
memory/4804-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8218.bin1
| MD5 | 4af7a207e872080a115ccd8e175524fb |
| SHA1 | 416d91f08bf3f530cc9cb53c95dde88d224cc95c |
| SHA256 | 51f81cc0b6888bd52e8570a41f697ea62fb5bd76baf679716ccb3133de4deb42 |
| SHA512 | 5a88d1b37032d8d0e1f9728b4f63107f3c3e8d6f3183dad06f725f0204d8f32e553490d52a5885907db35baa57ffd4948c82e65e2b401b2265a125b1985e0cba |
memory/4516-155-0x0000000000000000-mapping.dmp
memory/4512-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8218.bin1
| MD5 | f02cbc43ab8c908677c531da59e4b3f5 |
| SHA1 | f6c88f1e3b75e206f71ed4ab685bb3beb6e41394 |
| SHA256 | 4cfab6f7734c43adb38b111680328b02cb24daccf0f06d888fe376adc0c75e70 |
| SHA512 | 5cfacf85826d9f7710ce06262cabdf9958b137c2d098636782f3cac194130ee90eb62f05f5247e24a5bc134c7ea1fcfec4299c833307bb4710cce7c69b54941e |
memory/4152-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8218.bin1
| MD5 | f02cbc43ab8c908677c531da59e4b3f5 |
| SHA1 | f6c88f1e3b75e206f71ed4ab685bb3beb6e41394 |
| SHA256 | 4cfab6f7734c43adb38b111680328b02cb24daccf0f06d888fe376adc0c75e70 |
| SHA512 | 5cfacf85826d9f7710ce06262cabdf9958b137c2d098636782f3cac194130ee90eb62f05f5247e24a5bc134c7ea1fcfec4299c833307bb4710cce7c69b54941e |
memory/3720-160-0x0000000000000000-mapping.dmp
memory/4048-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8218.bin1
| MD5 | f6c7ca305aea91134643d1c04801e68b |
| SHA1 | 4a236c34329f86f2f9f9e33cd0be3393e52ba7e8 |
| SHA256 | f76a676ce889c3d8950e185e904a626341240c006434e991fad8a66f2e4287ec |
| SHA512 | 44cd8dc6ba6daf64025b6805be6ef82960c37d494b3182bed93177fad1ef2eb52f361e204e3db2ac82a991f3d4ced74ba77f4d4bae4b3fab82c5145c01f8f7ee |
memory/1420-163-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8218.bin1
| MD5 | f6c7ca305aea91134643d1c04801e68b |
| SHA1 | 4a236c34329f86f2f9f9e33cd0be3393e52ba7e8 |
| SHA256 | f76a676ce889c3d8950e185e904a626341240c006434e991fad8a66f2e4287ec |
| SHA512 | 44cd8dc6ba6daf64025b6805be6ef82960c37d494b3182bed93177fad1ef2eb52f361e204e3db2ac82a991f3d4ced74ba77f4d4bae4b3fab82c5145c01f8f7ee |
memory/1940-165-0x0000000000000000-mapping.dmp
memory/3136-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8218.bin1
| MD5 | d5123e06673c663f87423483a277955d |
| SHA1 | 90c16e2a299aa13f3556dbe919b3f09eefc400b6 |
| SHA256 | f8bae5be58a7f830d658dcc4c594b32c00a08f1754b7e6aac3c233f123b172e9 |
| SHA512 | 36badf8b4b03cfb620175e1d9fcad6734bc09f993425f98682c07515fa1916f97dcd21ba6b5c615a133052a2993cae99b76fd946daefebb3da4ef3e847b53dec |
memory/4116-168-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8218.bin1
| MD5 | d5123e06673c663f87423483a277955d |
| SHA1 | 90c16e2a299aa13f3556dbe919b3f09eefc400b6 |
| SHA256 | f8bae5be58a7f830d658dcc4c594b32c00a08f1754b7e6aac3c233f123b172e9 |
| SHA512 | 36badf8b4b03cfb620175e1d9fcad6734bc09f993425f98682c07515fa1916f97dcd21ba6b5c615a133052a2993cae99b76fd946daefebb3da4ef3e847b53dec |
memory/4004-170-0x0000000000000000-mapping.dmp
memory/528-171-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8218.bin1
| MD5 | 9eea7682e14d0811e09a5f863e9297a0 |
| SHA1 | 45b7f976b49756adb2221d4069be3a671caab302 |
| SHA256 | 7f23d5c7c800c820e3794df7f892a5ec934048e09615f8057a2795f95e30bdfe |
| SHA512 | 069c89529dfc42d0a0c779b60ab6e142fbf68521f30fbe84ec99fa2164cfe8b5a9ae6bc980d11df8aba902c70f9654fe00bd275ac449d1c3a11b2e705537af61 |
memory/1184-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8218.bin1
| MD5 | 9eea7682e14d0811e09a5f863e9297a0 |
| SHA1 | 45b7f976b49756adb2221d4069be3a671caab302 |
| SHA256 | 7f23d5c7c800c820e3794df7f892a5ec934048e09615f8057a2795f95e30bdfe |
| SHA512 | 069c89529dfc42d0a0c779b60ab6e142fbf68521f30fbe84ec99fa2164cfe8b5a9ae6bc980d11df8aba902c70f9654fe00bd275ac449d1c3a11b2e705537af61 |
C:\Users\Admin\AppData\Local\Temp\8218.bin
| MD5 | 9eea7682e14d0811e09a5f863e9297a0 |
| SHA1 | 45b7f976b49756adb2221d4069be3a671caab302 |
| SHA256 | 7f23d5c7c800c820e3794df7f892a5ec934048e09615f8057a2795f95e30bdfe |
| SHA512 | 069c89529dfc42d0a0c779b60ab6e142fbf68521f30fbe84ec99fa2164cfe8b5a9ae6bc980d11df8aba902c70f9654fe00bd275ac449d1c3a11b2e705537af61 |
memory/3436-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\D265.bin
| MD5 | af26c91505f4978d7f34b6224c4fb049 |
| SHA1 | 92cbb1dc67ca226b2d2f53e70bbdb3fa08914b3c |
| SHA256 | 51d5bfff01953dfec651362304346b2bd5461086d6256fc862f5304bcd6f6542 |
| SHA512 | 07d2c6171dcff6ff2cae483adbbb12f582a457401ee3b902826ef7657f498007ddf3b3eb74b30039668752c3c5749a91ed934f86734f1d208f34af6b318f7119 |
C:\Users\Admin\AppData\Local\Temp\8218.bin
| MD5 | 9eea7682e14d0811e09a5f863e9297a0 |
| SHA1 | 45b7f976b49756adb2221d4069be3a671caab302 |
| SHA256 | 7f23d5c7c800c820e3794df7f892a5ec934048e09615f8057a2795f95e30bdfe |
| SHA512 | 069c89529dfc42d0a0c779b60ab6e142fbf68521f30fbe84ec99fa2164cfe8b5a9ae6bc980d11df8aba902c70f9654fe00bd275ac449d1c3a11b2e705537af61 |
C:\Users\Admin\AppData\Local\Temp\setup.inf
| MD5 | 5f81b025bbf39e2459d660a0431e73b2 |
| SHA1 | 0945caa77d94d62dd3412c459a994ffe750fea75 |
| SHA256 | dcc6d51c4a8c1a0013043fa3ec6473a81e497df7a66e8df017a4b5e1b7542f5f |
| SHA512 | 98d1ffe5a7b946bb1fa0ab86766c7d232e1eb8c9087d6b1b2023b0511a6e012fa79dc72e04c1e9f9191727f77a54e46de6e099c020e40b39a495c3d8b34a31d5 |
C:\Users\Admin\AppData\Local\Temp\setup.rpt
| MD5 | 5b421c22949692fdfb495c4b549a169f |
| SHA1 | dcc91642ac7c33f631b64294379b580784858fa0 |
| SHA256 | 9d4f66fcfc55f5a35491013a747f1ee05e8702e4687d5e52165ca35f9d8e9a12 |
| SHA512 | 740b72c705a00169988923f8563c588a1675a9e469d9e367c8bf1e57b21f442dcae68c8fa1f50f812cfd150d8cdfc2597d03bc4539a4d09a6afe7c2c6c04f581 |
C:\Users\Admin\AppData\Local\Temp\DB09.bin
| MD5 | d94d1b42146a38260dfd9ec24cd537be |
| SHA1 | 0200f5c20a05609b26a0b4cd87d81e43c976c7f7 |
| SHA256 | 0713e9f4a7767b02417b652764e017dfa3bd6c30a7471ddbca521ffb367d3e69 |
| SHA512 | 02c45bbc6edcb781908ef709455200edfdc168fc134b5f36b3d436ea5f211fd7e644af0e93365b5222566fa856298d8a6b7fb6d1d9d99811386568fbddc8985f |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-14 23:45
Reported
2022-06-15 03:33
Platform
win7-20220414-en
Max time kernel
146s
Max time network
40s
Command Line
Signatures
Gozi, Gozi IFSB
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audiedit = "C:\\Users\\Admin\\AppData\\Roaming\\bitsmuid\\ACCTient.exe" | C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 608 set thread context of 752 | N/A | C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe | C:\Windows\system32\svchost.exe |
| PID 752 set thread context of 1364 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe | N/A |
| Token: 0 | N/A | C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe
"C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\70C0\3860.bat" "C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE""
C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE""
C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe
"C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
Network
Files
memory/1000-54-0x0000000075F21000-0x0000000075F23000-memory.dmp
memory/1000-55-0x0000000000400000-0x00000000004BE000-memory.dmp
memory/1000-57-0x00000000003E0000-0x0000000000400000-memory.dmp
memory/1760-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\70C0\3860.bat
| MD5 | 9e2c93ce408a9a6956568f14a3d14a83 |
| SHA1 | daed9ba9422340fc4cc61b4af1f2985f9c80fc0e |
| SHA256 | 0e5cf374f9ec707505d2bf95e6319a4d774fa8dd016c1431243e482ce722217b |
| SHA512 | e3e5ff77897017c2b1376030d5eaf2da0f7ac9e20ba8e7f0f8588cd805ea1039182302b5fbc62326f81ef5d35105e866dd56b8bf045f629431a71bf4571a4cce |
memory/1108-60-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe
| MD5 | 8bc39d61f41a5c6dfac7ad4dc9e158c6 |
| SHA1 | 1192620ceb20e80fcfdf93ef2b81e5e142d0a4cc |
| SHA256 | 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31 |
| SHA512 | 3b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464 |
C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe
| MD5 | 8bc39d61f41a5c6dfac7ad4dc9e158c6 |
| SHA1 | 1192620ceb20e80fcfdf93ef2b81e5e142d0a4cc |
| SHA256 | 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31 |
| SHA512 | 3b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464 |
C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe
| MD5 | 8bc39d61f41a5c6dfac7ad4dc9e158c6 |
| SHA1 | 1192620ceb20e80fcfdf93ef2b81e5e142d0a4cc |
| SHA256 | 2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31 |
| SHA512 | 3b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464 |
memory/608-63-0x0000000000000000-mapping.dmp
memory/752-68-0x0000000000000000-mapping.dmp
memory/752-69-0x0000000000480000-0x00000000005B1000-memory.dmp
memory/752-70-0x0000000000480000-0x00000000005B1000-memory.dmp
memory/1364-71-0x0000000004CA0000-0x0000000004DD1000-memory.dmp