Analysis
-
max time kernel
50s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 03:52
Static task
static1
Behavioral task
behavioral1
Sample
27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.exe
Resource
win10v2004-20220414-en
General
-
Target
27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.exe
-
Size
388KB
-
MD5
6f53973fc74e45dfd268d788875213cd
-
SHA1
8d9650b42290b5d41e15eea0d6a6ffac5f8ec6d7
-
SHA256
27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217
-
SHA512
21b18db60020b449d211d9c233d04387be19f9b0730c1cb49f6d4e5f4c8ce5b92ca8e311b490731b78299add07dce0c80c7fe56341cf4072e2c1332076b812a5
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ACCTient.exepid process 1112 ACCTient.exe -
Deletes itself 1 IoCs
Processes:
ACCTient.exepid process 1112 ACCTient.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1444 cmd.exe 1444 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audiedit = "C:\\Users\\Admin\\AppData\\Roaming\\bitsmuid\\ACCTient.exe" 27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ACCTient.exesvchost.exedescription pid process target process PID 1112 set thread context of 2040 1112 ACCTient.exe svchost.exe PID 2040 set thread context of 1396 2040 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ACCTient.exeExplorer.EXEpid process 1112 ACCTient.exe 1396 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ACCTient.exesvchost.exepid process 1112 ACCTient.exe 2040 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.execmd.execmd.exeACCTient.exesvchost.exedescription pid process target process PID 1120 wrote to memory of 1912 1120 27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.exe cmd.exe PID 1120 wrote to memory of 1912 1120 27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.exe cmd.exe PID 1120 wrote to memory of 1912 1120 27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.exe cmd.exe PID 1120 wrote to memory of 1912 1120 27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.exe cmd.exe PID 1912 wrote to memory of 1444 1912 cmd.exe cmd.exe PID 1912 wrote to memory of 1444 1912 cmd.exe cmd.exe PID 1912 wrote to memory of 1444 1912 cmd.exe cmd.exe PID 1912 wrote to memory of 1444 1912 cmd.exe cmd.exe PID 1444 wrote to memory of 1112 1444 cmd.exe ACCTient.exe PID 1444 wrote to memory of 1112 1444 cmd.exe ACCTient.exe PID 1444 wrote to memory of 1112 1444 cmd.exe ACCTient.exe PID 1444 wrote to memory of 1112 1444 cmd.exe ACCTient.exe PID 1112 wrote to memory of 2040 1112 ACCTient.exe svchost.exe PID 1112 wrote to memory of 2040 1112 ACCTient.exe svchost.exe PID 1112 wrote to memory of 2040 1112 ACCTient.exe svchost.exe PID 1112 wrote to memory of 2040 1112 ACCTient.exe svchost.exe PID 1112 wrote to memory of 2040 1112 ACCTient.exe svchost.exe PID 1112 wrote to memory of 2040 1112 ACCTient.exe svchost.exe PID 1112 wrote to memory of 2040 1112 ACCTient.exe svchost.exe PID 2040 wrote to memory of 1396 2040 svchost.exe Explorer.EXE PID 2040 wrote to memory of 1396 2040 svchost.exe Explorer.EXE PID 2040 wrote to memory of 1396 2040 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.exe"C:\Users\Admin\AppData\Local\Temp\27a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9418\4A0C.bat" "C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\27A046~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\27A046~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe"C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\27A046~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108B
MD5711f5bc160c81ce51b3111bbd9831ec6
SHA17b3df7761092b902aa19e77144d2409ace57e1ff
SHA2560f2d3efbc7a309061f8c68e051c7424fc62135b3f1865db994ce1fa28e0e0dc7
SHA512ea77305f7c1176eef45b20dc46634eb422599f63d512f40751e2325428617f0c0d5abc60cdab8b33afda85e1e5d6a58051d2bd9fa2c3e3ec958e420f0e935453
-
Filesize
388KB
MD56f53973fc74e45dfd268d788875213cd
SHA18d9650b42290b5d41e15eea0d6a6ffac5f8ec6d7
SHA25627a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217
SHA51221b18db60020b449d211d9c233d04387be19f9b0730c1cb49f6d4e5f4c8ce5b92ca8e311b490731b78299add07dce0c80c7fe56341cf4072e2c1332076b812a5
-
Filesize
388KB
MD56f53973fc74e45dfd268d788875213cd
SHA18d9650b42290b5d41e15eea0d6a6ffac5f8ec6d7
SHA25627a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217
SHA51221b18db60020b449d211d9c233d04387be19f9b0730c1cb49f6d4e5f4c8ce5b92ca8e311b490731b78299add07dce0c80c7fe56341cf4072e2c1332076b812a5
-
Filesize
388KB
MD56f53973fc74e45dfd268d788875213cd
SHA18d9650b42290b5d41e15eea0d6a6ffac5f8ec6d7
SHA25627a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217
SHA51221b18db60020b449d211d9c233d04387be19f9b0730c1cb49f6d4e5f4c8ce5b92ca8e311b490731b78299add07dce0c80c7fe56341cf4072e2c1332076b812a5
-
Filesize
388KB
MD56f53973fc74e45dfd268d788875213cd
SHA18d9650b42290b5d41e15eea0d6a6ffac5f8ec6d7
SHA25627a04637d9163782c1180141faeab903af0e45ec420da738c66770739be02217
SHA51221b18db60020b449d211d9c233d04387be19f9b0730c1cb49f6d4e5f4c8ce5b92ca8e311b490731b78299add07dce0c80c7fe56341cf4072e2c1332076b812a5