Analysis
-
max time kernel
46s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 05:31
Static task
static1
Behavioral task
behavioral1
Sample
273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.exe
Resource
win10v2004-20220414-en
General
-
Target
273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.exe
-
Size
351KB
-
MD5
28b4415fbd22fa233b2b788bd316c40b
-
SHA1
6f37174d8ec69155f292299504704d8fd07bf27b
-
SHA256
273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f
-
SHA512
dc0195291847dcedb599e0c472bea9dc3ee7b126827511942dc2b27c307a9f08b41fe33c8a923ef3ce7e2097f9288a45cf6196c42cd045f053b0465bef2da2b6
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
amxredit.exepid process 2028 amxredit.exe -
Deletes itself 1 IoCs
Processes:
amxredit.exepid process 2028 amxredit.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2016 cmd.exe 2016 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audial32 = "C:\\Users\\Admin\\AppData\\Roaming\\Audiient\\amxredit.exe" 273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
amxredit.exesvchost.exedescription pid process target process PID 2028 set thread context of 1452 2028 amxredit.exe svchost.exe PID 1452 set thread context of 1344 1452 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
amxredit.exeExplorer.EXEpid process 2028 amxredit.exe 1344 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
amxredit.exesvchost.exepid process 2028 amxredit.exe 1452 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1344 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.execmd.execmd.exeamxredit.exesvchost.exedescription pid process target process PID 800 wrote to memory of 1072 800 273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.exe cmd.exe PID 800 wrote to memory of 1072 800 273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.exe cmd.exe PID 800 wrote to memory of 1072 800 273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.exe cmd.exe PID 800 wrote to memory of 1072 800 273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.exe cmd.exe PID 1072 wrote to memory of 2016 1072 cmd.exe cmd.exe PID 1072 wrote to memory of 2016 1072 cmd.exe cmd.exe PID 1072 wrote to memory of 2016 1072 cmd.exe cmd.exe PID 1072 wrote to memory of 2016 1072 cmd.exe cmd.exe PID 2016 wrote to memory of 2028 2016 cmd.exe amxredit.exe PID 2016 wrote to memory of 2028 2016 cmd.exe amxredit.exe PID 2016 wrote to memory of 2028 2016 cmd.exe amxredit.exe PID 2016 wrote to memory of 2028 2016 cmd.exe amxredit.exe PID 2028 wrote to memory of 1452 2028 amxredit.exe svchost.exe PID 2028 wrote to memory of 1452 2028 amxredit.exe svchost.exe PID 2028 wrote to memory of 1452 2028 amxredit.exe svchost.exe PID 2028 wrote to memory of 1452 2028 amxredit.exe svchost.exe PID 2028 wrote to memory of 1452 2028 amxredit.exe svchost.exe PID 2028 wrote to memory of 1452 2028 amxredit.exe svchost.exe PID 2028 wrote to memory of 1452 2028 amxredit.exe svchost.exe PID 1452 wrote to memory of 1344 1452 svchost.exe Explorer.EXE PID 1452 wrote to memory of 1344 1452 svchost.exe Explorer.EXE PID 1452 wrote to memory of 1344 1452 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.exe"C:\Users\Admin\AppData\Local\Temp\273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7F60\F.bat" "C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\273E33~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\273E33~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe"C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\273E33~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7F60\F.batFilesize
108B
MD5f78eb2b1d94dd1f5dcf88b070dd4dac5
SHA11bfa8551a39d132ce77bb37433d8318e0c302f85
SHA256a995ee79188f12db48d111fb49e5c1a110d2607c59633ad73300f2108d618bb4
SHA5129226add472206f74077ed30a0baf52201418514ce3bf468d761ee4f3aff4530f8d088a01ee0355f33a8b2c650e17987f29bf71e850c12879ac1aa10d568ae694
-
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exeFilesize
351KB
MD528b4415fbd22fa233b2b788bd316c40b
SHA16f37174d8ec69155f292299504704d8fd07bf27b
SHA256273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f
SHA512dc0195291847dcedb599e0c472bea9dc3ee7b126827511942dc2b27c307a9f08b41fe33c8a923ef3ce7e2097f9288a45cf6196c42cd045f053b0465bef2da2b6
-
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exeFilesize
351KB
MD528b4415fbd22fa233b2b788bd316c40b
SHA16f37174d8ec69155f292299504704d8fd07bf27b
SHA256273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f
SHA512dc0195291847dcedb599e0c472bea9dc3ee7b126827511942dc2b27c307a9f08b41fe33c8a923ef3ce7e2097f9288a45cf6196c42cd045f053b0465bef2da2b6
-
\Users\Admin\AppData\Roaming\Audiient\amxredit.exeFilesize
351KB
MD528b4415fbd22fa233b2b788bd316c40b
SHA16f37174d8ec69155f292299504704d8fd07bf27b
SHA256273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f
SHA512dc0195291847dcedb599e0c472bea9dc3ee7b126827511942dc2b27c307a9f08b41fe33c8a923ef3ce7e2097f9288a45cf6196c42cd045f053b0465bef2da2b6
-
\Users\Admin\AppData\Roaming\Audiient\amxredit.exeFilesize
351KB
MD528b4415fbd22fa233b2b788bd316c40b
SHA16f37174d8ec69155f292299504704d8fd07bf27b
SHA256273e3375059410c1509cb182c93c79777ee3a78e883d61f29e927eefbd6a935f
SHA512dc0195291847dcedb599e0c472bea9dc3ee7b126827511942dc2b27c307a9f08b41fe33c8a923ef3ce7e2097f9288a45cf6196c42cd045f053b0465bef2da2b6
-
memory/800-57-0x0000000000460000-0x0000000000490000-memory.dmpFilesize
192KB
-
memory/800-54-0x0000000076561000-0x0000000076563000-memory.dmpFilesize
8KB
-
memory/800-55-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1072-58-0x0000000000000000-mapping.dmp
-
memory/1344-73-0x0000000002720000-0x0000000002795000-memory.dmpFilesize
468KB
-
memory/1344-72-0x0000000002720000-0x0000000002795000-memory.dmpFilesize
468KB
-
memory/1452-70-0x0000000000000000-mapping.dmp
-
memory/1452-71-0x00000000000D0000-0x0000000000145000-memory.dmpFilesize
468KB
-
memory/2016-60-0x0000000000000000-mapping.dmp
-
memory/2028-69-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/2028-67-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2028-64-0x0000000000000000-mapping.dmp