Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 04:07
Static task
static1
Behavioral task
behavioral1
Sample
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe
Resource
win10v2004-20220414-en
General
-
Target
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe
-
Size
388KB
-
MD5
155203d92c9d8514fdea49e38d796a2d
-
SHA1
95730596a750676d8649ced7233f2e6da29a7f0f
-
SHA256
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1
-
SHA512
6ff8269a57be0a6198f3fd78c154ffd9f96936bf5e248c2208fd9938d6c4174334ce733866312eb71cb6149d1d1b2bd2b55417222d18c8ab118658efabf8c2ea
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Actipi32.exepid process 888 Actipi32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcWioker = "C:\\Users\\Admin\\AppData\\Roaming\\Addrdlet\\Actipi32.exe" 3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2280 888 WerFault.exe Actipi32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Actipi32.exepid process 888 Actipi32.exe 888 Actipi32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.execmd.execmd.exeActipi32.exedescription pid process target process PID 4124 wrote to memory of 4288 4124 3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe cmd.exe PID 4124 wrote to memory of 4288 4124 3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe cmd.exe PID 4124 wrote to memory of 4288 4124 3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe cmd.exe PID 4288 wrote to memory of 1488 4288 cmd.exe cmd.exe PID 4288 wrote to memory of 1488 4288 cmd.exe cmd.exe PID 4288 wrote to memory of 1488 4288 cmd.exe cmd.exe PID 1488 wrote to memory of 888 1488 cmd.exe Actipi32.exe PID 1488 wrote to memory of 888 1488 cmd.exe Actipi32.exe PID 1488 wrote to memory of 888 1488 cmd.exe Actipi32.exe PID 888 wrote to memory of 2336 888 Actipi32.exe svchost.exe PID 888 wrote to memory of 2336 888 Actipi32.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe"C:\Users\Admin\AppData\Local\Temp\3305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4720\10.bat" "C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\3305C3~1.EXE""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\3305C3~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe"C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\3305C3~1.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 6005⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 888 -ip 8881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4720\10.batFilesize
112B
MD5102e807fdd95515902cb686b445e869e
SHA15fad4078f070ee93925fae6effcfa77af5cf9f78
SHA256b55bfc9c093c7b4f4c26e518a3be9282a81c92443a8f0203502c03191ae6bf3d
SHA51291be15e682a883e7997483b50cc4febaefc180a109e09d6db3caa18730c6ed39c3c4d8b7185064328cb5412316b09eab3ede1aaa04189ded5a5492122ed2d014
-
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exeFilesize
388KB
MD5155203d92c9d8514fdea49e38d796a2d
SHA195730596a750676d8649ced7233f2e6da29a7f0f
SHA2563305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1
SHA5126ff8269a57be0a6198f3fd78c154ffd9f96936bf5e248c2208fd9938d6c4174334ce733866312eb71cb6149d1d1b2bd2b55417222d18c8ab118658efabf8c2ea
-
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exeFilesize
388KB
MD5155203d92c9d8514fdea49e38d796a2d
SHA195730596a750676d8649ced7233f2e6da29a7f0f
SHA2563305c317a914b61dbf2d6cadfe845f60b8e54c0c2b66a52e46027dd4b26af2f1
SHA5126ff8269a57be0a6198f3fd78c154ffd9f96936bf5e248c2208fd9938d6c4174334ce733866312eb71cb6149d1d1b2bd2b55417222d18c8ab118658efabf8c2ea
-
memory/888-136-0x0000000000000000-mapping.dmp
-
memory/888-139-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/888-141-0x00000000005C0000-0x00000000005F0000-memory.dmpFilesize
192KB
-
memory/1488-135-0x0000000000000000-mapping.dmp
-
memory/4124-130-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/4124-132-0x0000000000610000-0x0000000000640000-memory.dmpFilesize
192KB
-
memory/4288-133-0x0000000000000000-mapping.dmp