Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 13:33
Static task
static1
Behavioral task
behavioral1
Sample
29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe
Resource
win10v2004-20220414-en
General
-
Target
29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe
-
Size
474KB
-
MD5
695579360bdbdab40a0df450af10628d
-
SHA1
254c8f577b9f44727de32aa440328ef00955db59
-
SHA256
29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6
-
SHA512
9314b8dc206a798e05db9796e64da2ed177b8d23777ffb23ca7ebdec63f438a516be6b01c9e65b7c76355bc96e220124200d3e1400d34e4fc094314d50e098ed
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Authsvcs.exepid process 620 Authsvcs.exe -
Deletes itself 1 IoCs
Processes:
Authsvcs.exepid process 620 Authsvcs.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1256 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\catsmifw = "C:\\Users\\Admin\\AppData\\Roaming\\cfgbmime\\Authsvcs.exe" 29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Authsvcs.exesvchost.exedescription pid process target process PID 620 set thread context of 1412 620 Authsvcs.exe svchost.exe PID 1412 set thread context of 1220 1412 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Authsvcs.exeExplorer.EXEpid process 620 Authsvcs.exe 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Authsvcs.exesvchost.exepid process 620 Authsvcs.exe 1412 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.execmd.execmd.exeAuthsvcs.exesvchost.exedescription pid process target process PID 1700 wrote to memory of 1264 1700 29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe cmd.exe PID 1700 wrote to memory of 1264 1700 29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe cmd.exe PID 1700 wrote to memory of 1264 1700 29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe cmd.exe PID 1700 wrote to memory of 1264 1700 29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe cmd.exe PID 1264 wrote to memory of 1256 1264 cmd.exe cmd.exe PID 1264 wrote to memory of 1256 1264 cmd.exe cmd.exe PID 1264 wrote to memory of 1256 1264 cmd.exe cmd.exe PID 1264 wrote to memory of 1256 1264 cmd.exe cmd.exe PID 1256 wrote to memory of 620 1256 cmd.exe Authsvcs.exe PID 1256 wrote to memory of 620 1256 cmd.exe Authsvcs.exe PID 1256 wrote to memory of 620 1256 cmd.exe Authsvcs.exe PID 1256 wrote to memory of 620 1256 cmd.exe Authsvcs.exe PID 620 wrote to memory of 1412 620 Authsvcs.exe svchost.exe PID 620 wrote to memory of 1412 620 Authsvcs.exe svchost.exe PID 620 wrote to memory of 1412 620 Authsvcs.exe svchost.exe PID 620 wrote to memory of 1412 620 Authsvcs.exe svchost.exe PID 620 wrote to memory of 1412 620 Authsvcs.exe svchost.exe PID 620 wrote to memory of 1412 620 Authsvcs.exe svchost.exe PID 620 wrote to memory of 1412 620 Authsvcs.exe svchost.exe PID 1412 wrote to memory of 1220 1412 svchost.exe Explorer.EXE PID 1412 wrote to memory of 1220 1412 svchost.exe Explorer.EXE PID 1412 wrote to memory of 1220 1412 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe"C:\Users\Admin\AppData\Local\Temp\29ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1B32\31.bat" "C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\29AC9F~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\29AC9F~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe"C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\29AC9F~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1B32\31.batFilesize
108B
MD52471f00d95666c0e4a7c8c0678b7914d
SHA1e27a00342fca0f7b49eb0ea5f79247361da280d7
SHA25695c2cc16f6e1c15e856319b26243869e876926b4863a61491c142edd3d55ffdc
SHA512a3e31127c9ef235e9f7a8c612824301a76f6e61e66e2516c8b7864bd8b52142f71d770f4e4902aafe309b57dafa7c2222175f9a78dd98342dcd50a8b64230438
-
C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exeFilesize
474KB
MD5695579360bdbdab40a0df450af10628d
SHA1254c8f577b9f44727de32aa440328ef00955db59
SHA25629ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6
SHA5129314b8dc206a798e05db9796e64da2ed177b8d23777ffb23ca7ebdec63f438a516be6b01c9e65b7c76355bc96e220124200d3e1400d34e4fc094314d50e098ed
-
C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exeFilesize
474KB
MD5695579360bdbdab40a0df450af10628d
SHA1254c8f577b9f44727de32aa440328ef00955db59
SHA25629ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6
SHA5129314b8dc206a798e05db9796e64da2ed177b8d23777ffb23ca7ebdec63f438a516be6b01c9e65b7c76355bc96e220124200d3e1400d34e4fc094314d50e098ed
-
\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exeFilesize
474KB
MD5695579360bdbdab40a0df450af10628d
SHA1254c8f577b9f44727de32aa440328ef00955db59
SHA25629ac9f2b359f91e5403bd422e55fa24ce3f890adc58b59bee29d7b0e3a8259e6
SHA5129314b8dc206a798e05db9796e64da2ed177b8d23777ffb23ca7ebdec63f438a516be6b01c9e65b7c76355bc96e220124200d3e1400d34e4fc094314d50e098ed
-
memory/620-63-0x0000000000000000-mapping.dmp
-
memory/620-66-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/620-68-0x00000000001F0000-0x0000000000220000-memory.dmpFilesize
192KB
-
memory/1220-72-0x0000000002AC0000-0x0000000002B35000-memory.dmpFilesize
468KB
-
memory/1220-73-0x0000000002AC0000-0x0000000002B35000-memory.dmpFilesize
468KB
-
memory/1256-60-0x0000000000000000-mapping.dmp
-
memory/1264-58-0x0000000000000000-mapping.dmp
-
memory/1412-69-0x0000000000000000-mapping.dmp
-
memory/1412-70-0x00000000003C0000-0x0000000000435000-memory.dmpFilesize
468KB
-
memory/1412-71-0x00000000003C0000-0x0000000000435000-memory.dmpFilesize
468KB
-
memory/1700-57-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/1700-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1700-55-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB