Analysis
-
max time kernel
90s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 04:46
Static task
static1
Behavioral task
behavioral1
Sample
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe
Resource
win10v2004-20220414-en
General
-
Target
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe
-
Size
361KB
-
MD5
89fcd562f34d2b8aac582c852c85b2ae
-
SHA1
bf816e7b9be16330f8fd74585ba81821d5b76626
-
SHA256
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3
-
SHA512
83b10cbecbb7ffd96b1000e36818ae3cefdfa76cc67e68e43bdc0ad661665f816940e5c6d470c641c48255fb9de7d0905392cc2e5aaeaa7eb18fb6ee995cdb14
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Actipi32.exepid process 2264 Actipi32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcWioker = "C:\\Users\\Admin\\AppData\\Roaming\\Addrdlet\\Actipi32.exe" 2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4416 2264 WerFault.exe Actipi32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Actipi32.exepid process 2264 Actipi32.exe 2264 Actipi32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.execmd.execmd.exeActipi32.exedescription pid process target process PID 4460 wrote to memory of 4968 4460 2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe cmd.exe PID 4460 wrote to memory of 4968 4460 2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe cmd.exe PID 4460 wrote to memory of 4968 4460 2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe cmd.exe PID 4968 wrote to memory of 392 4968 cmd.exe cmd.exe PID 4968 wrote to memory of 392 4968 cmd.exe cmd.exe PID 4968 wrote to memory of 392 4968 cmd.exe cmd.exe PID 392 wrote to memory of 2264 392 cmd.exe Actipi32.exe PID 392 wrote to memory of 2264 392 cmd.exe Actipi32.exe PID 392 wrote to memory of 2264 392 cmd.exe Actipi32.exe PID 2264 wrote to memory of 828 2264 Actipi32.exe svchost.exe PID 2264 wrote to memory of 828 2264 Actipi32.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe"C:\Users\Admin\AppData\Local\Temp\2aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\76AC\BB65.bat" "C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\2AAF46~1.EXE""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\2AAF46~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe"C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\2AAF46~1.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 5605⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2264 -ip 22641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\76AC\BB65.batFilesize
112B
MD5f44fb8160e32ca728821611501d366f3
SHA1b8ed29184e1f1e5d99243ed7b84ac1c5be0378a1
SHA2565fa3ab7279fdfafa35a04ea18c4d5f700e051f9419e0827df802f993793aba08
SHA5128f823dc53aba79844778c1a940baff4901f9d77def0258020d9fcb1df0a72f1d8ec5976b8c70bee0160b3ae6d1577daedc2f8acebc55b19f11628dd15077129b
-
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exeFilesize
361KB
MD589fcd562f34d2b8aac582c852c85b2ae
SHA1bf816e7b9be16330f8fd74585ba81821d5b76626
SHA2562aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3
SHA51283b10cbecbb7ffd96b1000e36818ae3cefdfa76cc67e68e43bdc0ad661665f816940e5c6d470c641c48255fb9de7d0905392cc2e5aaeaa7eb18fb6ee995cdb14
-
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exeFilesize
361KB
MD589fcd562f34d2b8aac582c852c85b2ae
SHA1bf816e7b9be16330f8fd74585ba81821d5b76626
SHA2562aaf46b89e19e0d67865ed96a16114882b57ff48541b3cf4b611949bd5f241c3
SHA51283b10cbecbb7ffd96b1000e36818ae3cefdfa76cc67e68e43bdc0ad661665f816940e5c6d470c641c48255fb9de7d0905392cc2e5aaeaa7eb18fb6ee995cdb14
-
memory/392-135-0x0000000000000000-mapping.dmp
-
memory/2264-136-0x0000000000000000-mapping.dmp
-
memory/2264-139-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2264-141-0x0000000000580000-0x00000000005B0000-memory.dmpFilesize
192KB
-
memory/4460-130-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/4460-132-0x00000000021C0000-0x00000000021F0000-memory.dmpFilesize
192KB
-
memory/4968-133-0x0000000000000000-mapping.dmp