Analysis
-
max time kernel
126s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 02:42
Static task
static1
Behavioral task
behavioral1
Sample
2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe
Resource
win10v2004-20220414-en
General
-
Target
2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe
-
Size
351KB
-
MD5
0a32c9e785df05c1c8de665952434a35
-
SHA1
4e0a8e28795ec8e6bae272bf75a8d7a2b138f56f
-
SHA256
2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77
-
SHA512
924c525dd517737b6473f03db5f043ac3af6c3f25ddf580cb88dcc11149fd1bec202d2427f7ce1b3961472c4ddff8d29e14d32bd3254b6eb0f15fa7747631f85
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AcGeecfc.exepid process 1564 AcGeecfc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Contager = "C:\\Users\\Admin\\AppData\\Roaming\\Bingutil\\AcGeecfc.exe" 2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2704 1564 WerFault.exe AcGeecfc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AcGeecfc.exepid process 1564 AcGeecfc.exe 1564 AcGeecfc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.execmd.execmd.exeAcGeecfc.exedescription pid process target process PID 760 wrote to memory of 1688 760 2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe cmd.exe PID 760 wrote to memory of 1688 760 2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe cmd.exe PID 760 wrote to memory of 1688 760 2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe cmd.exe PID 1688 wrote to memory of 1492 1688 cmd.exe cmd.exe PID 1688 wrote to memory of 1492 1688 cmd.exe cmd.exe PID 1688 wrote to memory of 1492 1688 cmd.exe cmd.exe PID 1492 wrote to memory of 1564 1492 cmd.exe AcGeecfc.exe PID 1492 wrote to memory of 1564 1492 cmd.exe AcGeecfc.exe PID 1492 wrote to memory of 1564 1492 cmd.exe AcGeecfc.exe PID 1564 wrote to memory of 1644 1564 AcGeecfc.exe svchost.exe PID 1564 wrote to memory of 1644 1564 AcGeecfc.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe"C:\Users\Admin\AppData\Local\Temp\2b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CE41\51.bat" "C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\2B4BD6~1.EXE""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\2B4BD6~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe"C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\2B4BD6~1.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 5605⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1564 -ip 15641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CE41\51.batFilesize
112B
MD53a023866bfe9b109657985281f667276
SHA122c0c5753d9296dfe1e7c0f0aab433423c06c47e
SHA256832507ddea51d78a5224d1cc73ba92158440e9e665250f25ab09fb11770a8907
SHA51279cc19e2b76224faf4d67dccd89e7dd590e348e9ac892d0ae564cc708f0cf3f5196c66cdf6b0a94fc103427f4d1091665df5585fd05a982ed69f4df02810093d
-
C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exeFilesize
351KB
MD50a32c9e785df05c1c8de665952434a35
SHA14e0a8e28795ec8e6bae272bf75a8d7a2b138f56f
SHA2562b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77
SHA512924c525dd517737b6473f03db5f043ac3af6c3f25ddf580cb88dcc11149fd1bec202d2427f7ce1b3961472c4ddff8d29e14d32bd3254b6eb0f15fa7747631f85
-
C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exeFilesize
351KB
MD50a32c9e785df05c1c8de665952434a35
SHA14e0a8e28795ec8e6bae272bf75a8d7a2b138f56f
SHA2562b4bd637dd7847420f5dbfa49a3e088d6f4ed03c47908acced6e83699fdccc77
SHA512924c525dd517737b6473f03db5f043ac3af6c3f25ddf580cb88dcc11149fd1bec202d2427f7ce1b3961472c4ddff8d29e14d32bd3254b6eb0f15fa7747631f85
-
memory/760-130-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/760-132-0x0000000000540000-0x0000000000570000-memory.dmpFilesize
192KB
-
memory/1492-135-0x0000000000000000-mapping.dmp
-
memory/1564-136-0x0000000000000000-mapping.dmp
-
memory/1564-139-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1564-141-0x0000000000570000-0x00000000005A0000-memory.dmpFilesize
192KB
-
memory/1688-133-0x0000000000000000-mapping.dmp