Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 17:05
Static task
static1
Behavioral task
behavioral1
Sample
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe
Resource
win10v2004-20220414-en
General
-
Target
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe
-
Size
493KB
-
MD5
853b89f711eb10ab73ee8e1ad2f6cb63
-
SHA1
2383fc006ea0fac7bd0c9b9130082a7a3ed0c529
-
SHA256
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
-
SHA512
99a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
amxredit.exepid process 2024 amxredit.exe -
Deletes itself 1 IoCs
Processes:
amxredit.exepid process 2024 amxredit.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1996 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Audial32 = "C:\\Users\\Admin\\AppData\\Roaming\\Audiient\\amxredit.exe" 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
amxredit.exesvchost.exedescription pid process target process PID 2024 set thread context of 992 2024 amxredit.exe svchost.exe PID 992 set thread context of 1320 992 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
amxredit.exeExplorer.EXEpid process 2024 amxredit.exe 1320 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
amxredit.exesvchost.exepid process 2024 amxredit.exe 992 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1320 Explorer.EXE 1320 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1320 Explorer.EXE 1320 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1320 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.execmd.execmd.exeamxredit.exesvchost.exedescription pid process target process PID 1932 wrote to memory of 2040 1932 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe cmd.exe PID 1932 wrote to memory of 2040 1932 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe cmd.exe PID 1932 wrote to memory of 2040 1932 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe cmd.exe PID 1932 wrote to memory of 2040 1932 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe cmd.exe PID 2040 wrote to memory of 1996 2040 cmd.exe cmd.exe PID 2040 wrote to memory of 1996 2040 cmd.exe cmd.exe PID 2040 wrote to memory of 1996 2040 cmd.exe cmd.exe PID 2040 wrote to memory of 1996 2040 cmd.exe cmd.exe PID 1996 wrote to memory of 2024 1996 cmd.exe amxredit.exe PID 1996 wrote to memory of 2024 1996 cmd.exe amxredit.exe PID 1996 wrote to memory of 2024 1996 cmd.exe amxredit.exe PID 1996 wrote to memory of 2024 1996 cmd.exe amxredit.exe PID 2024 wrote to memory of 992 2024 amxredit.exe svchost.exe PID 2024 wrote to memory of 992 2024 amxredit.exe svchost.exe PID 2024 wrote to memory of 992 2024 amxredit.exe svchost.exe PID 2024 wrote to memory of 992 2024 amxredit.exe svchost.exe PID 2024 wrote to memory of 992 2024 amxredit.exe svchost.exe PID 2024 wrote to memory of 992 2024 amxredit.exe svchost.exe PID 2024 wrote to memory of 992 2024 amxredit.exe svchost.exe PID 992 wrote to memory of 1320 992 svchost.exe Explorer.EXE PID 992 wrote to memory of 1320 992 svchost.exe Explorer.EXE PID 992 wrote to memory of 1320 992 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe"C:\Users\Admin\AppData\Local\Temp\31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4888\2444.bat" "C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe"C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4888\2444.batFilesize
108B
MD5309e7e712ff0be0c0957c5dbf70db78d
SHA1fd5fd60c61ef48c03e21bfb5c615ba695f107a7f
SHA256a3951aaa3751251519493fac1d6f6a7c0dcabf22ee9377bb86a7107e1f13e516
SHA5122f6273a945e86421695a839c438b44b1fe4b306c953374ddde8e461525215eab87161bbbd4043458dbf93500d6f07d8531127c85b15b968ea3bdc40b7813ebfd
-
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exeFilesize
493KB
MD5853b89f711eb10ab73ee8e1ad2f6cb63
SHA12383fc006ea0fac7bd0c9b9130082a7a3ed0c529
SHA25631f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
SHA51299a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0
-
C:\Users\Admin\AppData\Roaming\Audiient\amxredit.exeFilesize
493KB
MD5853b89f711eb10ab73ee8e1ad2f6cb63
SHA12383fc006ea0fac7bd0c9b9130082a7a3ed0c529
SHA25631f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
SHA51299a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0
-
\Users\Admin\AppData\Roaming\Audiient\amxredit.exeFilesize
493KB
MD5853b89f711eb10ab73ee8e1ad2f6cb63
SHA12383fc006ea0fac7bd0c9b9130082a7a3ed0c529
SHA25631f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
SHA51299a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0
-
memory/992-70-0x0000000000380000-0x00000000003F5000-memory.dmpFilesize
468KB
-
memory/992-69-0x0000000000000000-mapping.dmp
-
memory/1320-72-0x0000000002B90000-0x0000000002C05000-memory.dmpFilesize
468KB
-
memory/1320-71-0x0000000002B90000-0x0000000002C05000-memory.dmpFilesize
468KB
-
memory/1932-55-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1932-57-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/1932-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1996-60-0x0000000000000000-mapping.dmp
-
memory/2024-63-0x0000000000000000-mapping.dmp
-
memory/2024-68-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/2040-58-0x0000000000000000-mapping.dmp