Analysis
-
max time kernel
91s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-06-2022 17:05
Static task
static1
Behavioral task
behavioral1
Sample
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe
Resource
win10v2004-20220414-en
General
-
Target
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe
-
Size
493KB
-
MD5
853b89f711eb10ab73ee8e1ad2f6cb63
-
SHA1
2383fc006ea0fac7bd0c9b9130082a7a3ed0c529
-
SHA256
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
-
SHA512
99a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AcGeecfc.exepid process 616 AcGeecfc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Contager = "C:\\Users\\Admin\\AppData\\Roaming\\Bingutil\\AcGeecfc.exe" 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4936 616 WerFault.exe AcGeecfc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AcGeecfc.exepid process 616 AcGeecfc.exe 616 AcGeecfc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.execmd.execmd.exeAcGeecfc.exedescription pid process target process PID 1552 wrote to memory of 4804 1552 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe cmd.exe PID 1552 wrote to memory of 4804 1552 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe cmd.exe PID 1552 wrote to memory of 4804 1552 31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe cmd.exe PID 4804 wrote to memory of 968 4804 cmd.exe cmd.exe PID 4804 wrote to memory of 968 4804 cmd.exe cmd.exe PID 4804 wrote to memory of 968 4804 cmd.exe cmd.exe PID 968 wrote to memory of 616 968 cmd.exe AcGeecfc.exe PID 968 wrote to memory of 616 968 cmd.exe AcGeecfc.exe PID 968 wrote to memory of 616 968 cmd.exe AcGeecfc.exe PID 616 wrote to memory of 4844 616 AcGeecfc.exe svchost.exe PID 616 wrote to memory of 4844 616 AcGeecfc.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe"C:\Users\Admin\AppData\Local\Temp\31f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3B34\33.bat" "C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe"C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\31F890~1.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 5645⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 616 -ip 6161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3B34\33.batFilesize
112B
MD53601077259d59ced658fd99e54ef57d3
SHA185c06d387a652e75660a7f0872ee58e9cf25caa5
SHA2566cba92ffa844205d8fd9d939a55b0932d1198b2627b64cab254980a88468c365
SHA512034062875050b574632a359051f001693f15e084138cdcf6c49a4d750ece87d99a3df2cd48561483158d6611f17e73c844c8fc40bfe6ef781826fc155ce4c1e9
-
C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exeFilesize
493KB
MD5853b89f711eb10ab73ee8e1ad2f6cb63
SHA12383fc006ea0fac7bd0c9b9130082a7a3ed0c529
SHA25631f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
SHA51299a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0
-
C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exeFilesize
493KB
MD5853b89f711eb10ab73ee8e1ad2f6cb63
SHA12383fc006ea0fac7bd0c9b9130082a7a3ed0c529
SHA25631f8902617ed43ba8509e4ee58321cf671050fc2f3d73d38c434c36343e9adec
SHA51299a84f7fa6e112f79a7816ca5470184018de64e15c472eeb33a794df0d1c8dab268d6ecd42cd8bf3ba7615e98f7322ab662b8aa5cadf8c1cdd68a106cacad9f0
-
memory/616-139-0x0000000000000000-mapping.dmp
-
memory/616-142-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/616-144-0x0000000000600000-0x0000000000630000-memory.dmpFilesize
192KB
-
memory/968-138-0x0000000000000000-mapping.dmp
-
memory/1552-133-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/1552-135-0x00000000021C0000-0x00000000021F0000-memory.dmpFilesize
192KB
-
memory/4804-136-0x0000000000000000-mapping.dmp