Analysis
-
max time kernel
60s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 07:32
Static task
static1
Behavioral task
behavioral1
Sample
3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe
Resource
win10v2004-20220414-en
General
-
Target
3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe
-
Size
361KB
-
MD5
71f184786153407c588600179f11a920
-
SHA1
8c8e733df5df5f73f176993b7e5d2e1f4aed1f8c
-
SHA256
3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e
-
SHA512
569bfeb1fa7f970b94b64e277436d7b6ca98c57bd02f480847dba244d3329d0e17a284d6c27935a4ae9460b45ca3b8e64a6357988a5203ab69c9ecbd07c83d4b
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
authuthz.exepid process 2024 authuthz.exe -
Deletes itself 1 IoCs
Processes:
authuthz.exepid process 2024 authuthz.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1992 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\aecaCore = "C:\\Users\\Admin\\AppData\\Roaming\\clictall\\authuthz.exe" 3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
authuthz.exesvchost.exedescription pid process target process PID 2024 set thread context of 1976 2024 authuthz.exe svchost.exe PID 1976 set thread context of 1264 1976 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
authuthz.exeExplorer.EXEpid process 2024 authuthz.exe 1264 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
authuthz.exesvchost.exepid process 2024 authuthz.exe 1976 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.execmd.execmd.exeauthuthz.exesvchost.exedescription pid process target process PID 1448 wrote to memory of 2036 1448 3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe cmd.exe PID 1448 wrote to memory of 2036 1448 3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe cmd.exe PID 1448 wrote to memory of 2036 1448 3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe cmd.exe PID 1448 wrote to memory of 2036 1448 3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe cmd.exe PID 2036 wrote to memory of 1992 2036 cmd.exe cmd.exe PID 2036 wrote to memory of 1992 2036 cmd.exe cmd.exe PID 2036 wrote to memory of 1992 2036 cmd.exe cmd.exe PID 2036 wrote to memory of 1992 2036 cmd.exe cmd.exe PID 1992 wrote to memory of 2024 1992 cmd.exe authuthz.exe PID 1992 wrote to memory of 2024 1992 cmd.exe authuthz.exe PID 1992 wrote to memory of 2024 1992 cmd.exe authuthz.exe PID 1992 wrote to memory of 2024 1992 cmd.exe authuthz.exe PID 2024 wrote to memory of 1976 2024 authuthz.exe svchost.exe PID 2024 wrote to memory of 1976 2024 authuthz.exe svchost.exe PID 2024 wrote to memory of 1976 2024 authuthz.exe svchost.exe PID 2024 wrote to memory of 1976 2024 authuthz.exe svchost.exe PID 2024 wrote to memory of 1976 2024 authuthz.exe svchost.exe PID 2024 wrote to memory of 1976 2024 authuthz.exe svchost.exe PID 2024 wrote to memory of 1976 2024 authuthz.exe svchost.exe PID 1976 wrote to memory of 1264 1976 svchost.exe Explorer.EXE PID 1976 wrote to memory of 1264 1976 svchost.exe Explorer.EXE PID 1976 wrote to memory of 1264 1976 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe"C:\Users\Admin\AppData\Local\Temp\3c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\56AA\2B55.bat" "C:\Users\Admin\AppData\Roaming\clictall\authuthz.exe" "C:\Users\Admin\AppData\Local\Temp\3C6AFF~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\clictall\authuthz.exe" "C:\Users\Admin\AppData\Local\Temp\3C6AFF~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\clictall\authuthz.exe"C:\Users\Admin\AppData\Roaming\clictall\authuthz.exe" "C:\Users\Admin\AppData\Local\Temp\3C6AFF~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\56AA\2B55.batFilesize
108B
MD538e56c6af5859baebc2342b633607ce3
SHA150d79599f4cd0d59bed35771c772f9150ca6e6b6
SHA2566f07c202572e240d4537e08e2a0ab6cfed59b3cb7f9d12de17770c0de5214975
SHA51238ab637fb2a11917775884992cce0047d03a764ae31d1d2362632a23a2026f7d94a759f02efd9d9f709855c75a8cf3cca123172a5a245ec3901ec97a2d59aa72
-
C:\Users\Admin\AppData\Roaming\clictall\authuthz.exeFilesize
361KB
MD571f184786153407c588600179f11a920
SHA18c8e733df5df5f73f176993b7e5d2e1f4aed1f8c
SHA2563c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e
SHA512569bfeb1fa7f970b94b64e277436d7b6ca98c57bd02f480847dba244d3329d0e17a284d6c27935a4ae9460b45ca3b8e64a6357988a5203ab69c9ecbd07c83d4b
-
C:\Users\Admin\AppData\Roaming\clictall\authuthz.exeFilesize
361KB
MD571f184786153407c588600179f11a920
SHA18c8e733df5df5f73f176993b7e5d2e1f4aed1f8c
SHA2563c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e
SHA512569bfeb1fa7f970b94b64e277436d7b6ca98c57bd02f480847dba244d3329d0e17a284d6c27935a4ae9460b45ca3b8e64a6357988a5203ab69c9ecbd07c83d4b
-
\Users\Admin\AppData\Roaming\clictall\authuthz.exeFilesize
361KB
MD571f184786153407c588600179f11a920
SHA18c8e733df5df5f73f176993b7e5d2e1f4aed1f8c
SHA2563c6affe9595ac8498af6360aeb3f9281e755c28c1b3297eb770855f08ec88a1e
SHA512569bfeb1fa7f970b94b64e277436d7b6ca98c57bd02f480847dba244d3329d0e17a284d6c27935a4ae9460b45ca3b8e64a6357988a5203ab69c9ecbd07c83d4b
-
memory/1264-71-0x00000000029E0000-0x0000000002A55000-memory.dmpFilesize
468KB
-
memory/1264-72-0x00000000029E0000-0x0000000002A55000-memory.dmpFilesize
468KB
-
memory/1448-57-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/1448-55-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1448-54-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1976-69-0x0000000000000000-mapping.dmp
-
memory/1976-70-0x00000000003C0000-0x0000000000435000-memory.dmpFilesize
468KB
-
memory/1992-60-0x0000000000000000-mapping.dmp
-
memory/2024-66-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/2024-68-0x00000000001C0000-0x00000000001F0000-memory.dmpFilesize
192KB
-
memory/2024-63-0x0000000000000000-mapping.dmp
-
memory/2036-58-0x0000000000000000-mapping.dmp