Analysis
-
max time kernel
146s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 04:54
Static task
static1
Behavioral task
behavioral1
Sample
32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe
Resource
win10v2004-20220414-en
General
-
Target
32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe
-
Size
474KB
-
MD5
34edc1d95226bd29e8e9072da1855f28
-
SHA1
c68352f6607134fb0b5686263397deda8f434cb0
-
SHA256
32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2
-
SHA512
5c754c3f81eca1a948932c1aba2ce414ca4dfc5c2af3dfba74d2ec084b11b068e0e302ba80a71b01caa3fad3119b04fe57453502ae03f4da13df1e1ed93c5047
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
authuthz.exepid process 828 authuthz.exe -
Deletes itself 1 IoCs
Processes:
authuthz.exepid process 828 authuthz.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1644 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\aecaCore = "C:\\Users\\Admin\\AppData\\Roaming\\clictall\\authuthz.exe" 32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
authuthz.exesvchost.exedescription pid process target process PID 828 set thread context of 1136 828 authuthz.exe svchost.exe PID 1136 set thread context of 1244 1136 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
authuthz.exeExplorer.EXEpid process 828 authuthz.exe 1244 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
authuthz.exesvchost.exepid process 828 authuthz.exe 1136 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.execmd.execmd.exeauthuthz.exesvchost.exedescription pid process target process PID 1888 wrote to memory of 936 1888 32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe cmd.exe PID 1888 wrote to memory of 936 1888 32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe cmd.exe PID 1888 wrote to memory of 936 1888 32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe cmd.exe PID 1888 wrote to memory of 936 1888 32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe cmd.exe PID 936 wrote to memory of 1644 936 cmd.exe cmd.exe PID 936 wrote to memory of 1644 936 cmd.exe cmd.exe PID 936 wrote to memory of 1644 936 cmd.exe cmd.exe PID 936 wrote to memory of 1644 936 cmd.exe cmd.exe PID 1644 wrote to memory of 828 1644 cmd.exe authuthz.exe PID 1644 wrote to memory of 828 1644 cmd.exe authuthz.exe PID 1644 wrote to memory of 828 1644 cmd.exe authuthz.exe PID 1644 wrote to memory of 828 1644 cmd.exe authuthz.exe PID 828 wrote to memory of 1136 828 authuthz.exe svchost.exe PID 828 wrote to memory of 1136 828 authuthz.exe svchost.exe PID 828 wrote to memory of 1136 828 authuthz.exe svchost.exe PID 828 wrote to memory of 1136 828 authuthz.exe svchost.exe PID 828 wrote to memory of 1136 828 authuthz.exe svchost.exe PID 828 wrote to memory of 1136 828 authuthz.exe svchost.exe PID 828 wrote to memory of 1136 828 authuthz.exe svchost.exe PID 1136 wrote to memory of 1244 1136 svchost.exe Explorer.EXE PID 1136 wrote to memory of 1244 1136 svchost.exe Explorer.EXE PID 1136 wrote to memory of 1244 1136 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe"C:\Users\Admin\AppData\Local\Temp\32d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3018\46.bat" "C:\Users\Admin\AppData\Roaming\clictall\authuthz.exe" "C:\Users\Admin\AppData\Local\Temp\32D3B5~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\clictall\authuthz.exe" "C:\Users\Admin\AppData\Local\Temp\32D3B5~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\clictall\authuthz.exe"C:\Users\Admin\AppData\Roaming\clictall\authuthz.exe" "C:\Users\Admin\AppData\Local\Temp\32D3B5~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3018\46.batFilesize
108B
MD552184a885363ddffaef2656d49343a7d
SHA1e9c92515464e88547aec625588e1bac53eba02a7
SHA2566140f77fb96a82378914de7b2c1d8f3ae142e7d00192cd8d5a7592124904650e
SHA51287ee9091b34e12a07829e36dee92a5588dd499bd56fa1a10e0ffc991e58015ba87070091417d3657c7ed428f71e5836d6ec3a27e4a7227f71d42bd1c3ad1a05f
-
C:\Users\Admin\AppData\Roaming\clictall\authuthz.exeFilesize
474KB
MD534edc1d95226bd29e8e9072da1855f28
SHA1c68352f6607134fb0b5686263397deda8f434cb0
SHA25632d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2
SHA5125c754c3f81eca1a948932c1aba2ce414ca4dfc5c2af3dfba74d2ec084b11b068e0e302ba80a71b01caa3fad3119b04fe57453502ae03f4da13df1e1ed93c5047
-
C:\Users\Admin\AppData\Roaming\clictall\authuthz.exeFilesize
474KB
MD534edc1d95226bd29e8e9072da1855f28
SHA1c68352f6607134fb0b5686263397deda8f434cb0
SHA25632d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2
SHA5125c754c3f81eca1a948932c1aba2ce414ca4dfc5c2af3dfba74d2ec084b11b068e0e302ba80a71b01caa3fad3119b04fe57453502ae03f4da13df1e1ed93c5047
-
\Users\Admin\AppData\Roaming\clictall\authuthz.exeFilesize
474KB
MD534edc1d95226bd29e8e9072da1855f28
SHA1c68352f6607134fb0b5686263397deda8f434cb0
SHA25632d3b5ff596448c89026df81699d0b360c8eb754e1cb9876cfdace71d8b6aeb2
SHA5125c754c3f81eca1a948932c1aba2ce414ca4dfc5c2af3dfba74d2ec084b11b068e0e302ba80a71b01caa3fad3119b04fe57453502ae03f4da13df1e1ed93c5047
-
memory/828-63-0x0000000000000000-mapping.dmp
-
memory/828-66-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/828-68-0x0000000000260000-0x0000000000290000-memory.dmpFilesize
192KB
-
memory/936-58-0x0000000000000000-mapping.dmp
-
memory/1136-69-0x0000000000000000-mapping.dmp
-
memory/1136-70-0x0000000000190000-0x0000000000205000-memory.dmpFilesize
468KB
-
memory/1136-71-0x0000000000190000-0x0000000000205000-memory.dmpFilesize
468KB
-
memory/1244-72-0x0000000002BA0000-0x0000000002C15000-memory.dmpFilesize
468KB
-
memory/1244-73-0x0000000002BA0000-0x0000000002C15000-memory.dmpFilesize
468KB
-
memory/1644-60-0x0000000000000000-mapping.dmp
-
memory/1888-57-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/1888-54-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/1888-55-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB