Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 06:36
Static task
static1
Behavioral task
behavioral1
Sample
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe
Resource
win10v2004-20220414-en
General
-
Target
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe
-
Size
361KB
-
MD5
1e4e3ab0d662c3f8a47c67ed427a154f
-
SHA1
c96cf36141dd1a2a88bcaf3881f233a40854fb2b
-
SHA256
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a
-
SHA512
879ac733fc2cfd57561ce65a92bab41d47484da3b7e7e2c430359bfa0301f1f3fcf253d181ed1bc7fbf20861b35cdc871acc9cf461909e69936fadaa58c4936e
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Actipi32.exepid process 720 Actipi32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcWioker = "C:\\Users\\Admin\\AppData\\Roaming\\Addrdlet\\Actipi32.exe" 3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4032 720 WerFault.exe Actipi32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Actipi32.exepid process 720 Actipi32.exe 720 Actipi32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.execmd.execmd.exeActipi32.exedescription pid process target process PID 1620 wrote to memory of 2220 1620 3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe cmd.exe PID 1620 wrote to memory of 2220 1620 3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe cmd.exe PID 1620 wrote to memory of 2220 1620 3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe cmd.exe PID 2220 wrote to memory of 1388 2220 cmd.exe cmd.exe PID 2220 wrote to memory of 1388 2220 cmd.exe cmd.exe PID 2220 wrote to memory of 1388 2220 cmd.exe cmd.exe PID 1388 wrote to memory of 720 1388 cmd.exe Actipi32.exe PID 1388 wrote to memory of 720 1388 cmd.exe Actipi32.exe PID 1388 wrote to memory of 720 1388 cmd.exe Actipi32.exe PID 720 wrote to memory of 1576 720 Actipi32.exe svchost.exe PID 720 wrote to memory of 1576 720 Actipi32.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe"C:\Users\Admin\AppData\Local\Temp\3a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5CBB\33.bat" "C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\3A25AC~1.EXE""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\3A25AC~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe"C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\3A25AC~1.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 5845⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 720 -ip 7201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5CBB\33.batFilesize
112B
MD5162ce4b12b25c5d87a22bba996effa8d
SHA11913d2528e5270504050ff7ae89dc6f62f751004
SHA25679461f900571f16bad1c0f1e4f024d59994df94bd6077607bba4822f9f6b09d8
SHA512596429b517430b4a0d7e2a77f98cf6f7ee2b3a3e5bf3f22f28c16339c4370af569197f9764121b30aa51e1441166b8de39012c16f04e34a1257771434ce8b44c
-
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exeFilesize
361KB
MD51e4e3ab0d662c3f8a47c67ed427a154f
SHA1c96cf36141dd1a2a88bcaf3881f233a40854fb2b
SHA2563a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a
SHA512879ac733fc2cfd57561ce65a92bab41d47484da3b7e7e2c430359bfa0301f1f3fcf253d181ed1bc7fbf20861b35cdc871acc9cf461909e69936fadaa58c4936e
-
C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exeFilesize
361KB
MD51e4e3ab0d662c3f8a47c67ed427a154f
SHA1c96cf36141dd1a2a88bcaf3881f233a40854fb2b
SHA2563a25ac74307f2358212c1cf753a9ae3ff548737ee6c6c0a789ca07464038bb5a
SHA512879ac733fc2cfd57561ce65a92bab41d47484da3b7e7e2c430359bfa0301f1f3fcf253d181ed1bc7fbf20861b35cdc871acc9cf461909e69936fadaa58c4936e
-
memory/720-136-0x0000000000000000-mapping.dmp
-
memory/720-139-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/720-141-0x00000000006F0000-0x0000000000720000-memory.dmpFilesize
192KB
-
memory/1388-135-0x0000000000000000-mapping.dmp
-
memory/1620-130-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1620-132-0x0000000000700000-0x0000000000730000-memory.dmpFilesize
192KB
-
memory/2220-133-0x0000000000000000-mapping.dmp