Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14/06/2022, 11:20
Static task
static1
Behavioral task
behavioral1
Sample
traktor.exe
Resource
win10v2004-20220414-en
General
-
Target
traktor.exe
-
Size
334.3MB
-
MD5
a0bb2d133b174436a9d4cce527fb78d7
-
SHA1
8e72e0115e01f32a2f72d1f31c3e641c6b66ab45
-
SHA256
904ca32cb62dc94b61092f80fa78c5bc97d0a5394fa03438aeec85ed87ab763e
-
SHA512
8697ef5c6d57cdc87b81216aacc2744b707c11ff3da0b914aa15805e082b03b4c0dcf5ee3f24d7cc235b26d6e1ee88dea20891aeee9d28ddf5b16424916de545
Malware Config
Extracted
gozi_ifsb
7776
update.zonealarm.com
iiso.in
-
base_path
/drew/
-
build
250229
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 548 SEB6A8~1.EXE 4888 SEB6A8~1.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation SEB6A8~1.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce traktor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" traktor.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 548 set thread context of 4888 548 SEB6A8~1.EXE 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 3136 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3604 powershell.exe 3604 powershell.exe 548 SEB6A8~1.EXE 548 SEB6A8~1.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3604 powershell.exe Token: SeDebugPrivilege 548 SEB6A8~1.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2212 wrote to memory of 548 2212 traktor.exe 79 PID 2212 wrote to memory of 548 2212 traktor.exe 79 PID 2212 wrote to memory of 548 2212 traktor.exe 79 PID 548 wrote to memory of 3604 548 SEB6A8~1.EXE 85 PID 548 wrote to memory of 3604 548 SEB6A8~1.EXE 85 PID 548 wrote to memory of 3604 548 SEB6A8~1.EXE 85 PID 548 wrote to memory of 4784 548 SEB6A8~1.EXE 91 PID 548 wrote to memory of 4784 548 SEB6A8~1.EXE 91 PID 548 wrote to memory of 4784 548 SEB6A8~1.EXE 91 PID 4784 wrote to memory of 3136 4784 cmd.exe 93 PID 4784 wrote to memory of 3136 4784 cmd.exe 93 PID 4784 wrote to memory of 3136 4784 cmd.exe 93 PID 548 wrote to memory of 4888 548 SEB6A8~1.EXE 94 PID 548 wrote to memory of 4888 548 SEB6A8~1.EXE 94 PID 548 wrote to memory of 4888 548 SEB6A8~1.EXE 94 PID 548 wrote to memory of 4888 548 SEB6A8~1.EXE 94 PID 548 wrote to memory of 4888 548 SEB6A8~1.EXE 94 PID 548 wrote to memory of 4888 548 SEB6A8~1.EXE 94 PID 548 wrote to memory of 4888 548 SEB6A8~1.EXE 94 PID 548 wrote to memory of 4888 548 SEB6A8~1.EXE 94 PID 548 wrote to memory of 4888 548 SEB6A8~1.EXE 94 PID 548 wrote to memory of 4888 548 SEB6A8~1.EXE 94 PID 548 wrote to memory of 4888 548 SEB6A8~1.EXE 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\traktor.exe"C:\Users\Admin\AppData\Local\Temp\traktor.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SEB6A8~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SEB6A8~1.EXE2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 453⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\timeout.exetimeout 454⤵
- Delays execution with timeout.exe
PID:3136
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SEB6A8~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SEB6A8~1.EXE3⤵
- Executes dropped EXE
PID:4888
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333.8MB
MD563fdefb66fd14dc92a7d1f773d6f619b
SHA10a96e7edc7a7e4b805f29691a0d39e21453f9eb0
SHA256360703b2b2c324dde72dcd0651251c9e882e245c22d6b7e8c3163ed34ddb62b9
SHA5128665eaf4ec17bf22c219b32972d4ad3dfa05c581a04cafe727e7514d711c84e078e308d9e3b1ad5f32f7c2435873066b62b7456a05ca00778e1b50f47fd12c47
-
Filesize
333.8MB
MD563fdefb66fd14dc92a7d1f773d6f619b
SHA10a96e7edc7a7e4b805f29691a0d39e21453f9eb0
SHA256360703b2b2c324dde72dcd0651251c9e882e245c22d6b7e8c3163ed34ddb62b9
SHA5128665eaf4ec17bf22c219b32972d4ad3dfa05c581a04cafe727e7514d711c84e078e308d9e3b1ad5f32f7c2435873066b62b7456a05ca00778e1b50f47fd12c47
-
Filesize
333.8MB
MD563fdefb66fd14dc92a7d1f773d6f619b
SHA10a96e7edc7a7e4b805f29691a0d39e21453f9eb0
SHA256360703b2b2c324dde72dcd0651251c9e882e245c22d6b7e8c3163ed34ddb62b9
SHA5128665eaf4ec17bf22c219b32972d4ad3dfa05c581a04cafe727e7514d711c84e078e308d9e3b1ad5f32f7c2435873066b62b7456a05ca00778e1b50f47fd12c47