Analysis
-
max time kernel
56s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2022 23:27
Static task
static1
Behavioral task
behavioral1
Sample
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe
Resource
win10v2004-20220718-en
General
-
Target
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe
-
Size
351KB
-
MD5
257314a13ce06122c3b7020c3e7d8724
-
SHA1
d8a8df5a073049cf9b7a78bb16fc4437accf11e5
-
SHA256
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409
-
SHA512
b250b109e385e4103e110351d4ecb45d1e4ece7a2ab246122e82c1b9a7afbec9a193dd81874db69c3a1f56e40076ea7d102c2d4e8c0e12233806b071133997b8
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Appxtdll.exepid process 3824 Appxtdll.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Control Panel\International\Geo\Nation 508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BWCotons = "C:\\Users\\Admin\\AppData\\Roaming\\ActiApis\\Appxtdll.exe" 508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4636 3824 WerFault.exe Appxtdll.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Appxtdll.exepid process 3824 Appxtdll.exe 3824 Appxtdll.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.execmd.execmd.exeAppxtdll.exedescription pid process target process PID 1320 wrote to memory of 4420 1320 508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe cmd.exe PID 1320 wrote to memory of 4420 1320 508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe cmd.exe PID 1320 wrote to memory of 4420 1320 508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe cmd.exe PID 4420 wrote to memory of 3556 4420 cmd.exe cmd.exe PID 4420 wrote to memory of 3556 4420 cmd.exe cmd.exe PID 4420 wrote to memory of 3556 4420 cmd.exe cmd.exe PID 3556 wrote to memory of 3824 3556 cmd.exe Appxtdll.exe PID 3556 wrote to memory of 3824 3556 cmd.exe Appxtdll.exe PID 3556 wrote to memory of 3824 3556 cmd.exe Appxtdll.exe PID 3824 wrote to memory of 4568 3824 Appxtdll.exe svchost.exe PID 3824 wrote to memory of 4568 3824 Appxtdll.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe"C:\Users\Admin\AppData\Local\Temp\508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10DC\886E.bat" "C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exe" "C:\Users\Admin\AppData\Local\Temp\508AEA~1.EXE""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exe" "C:\Users\Admin\AppData\Local\Temp\508AEA~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exe"C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exe" "C:\Users\Admin\AppData\Local\Temp\508AEA~1.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 5605⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3824 -ip 38241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\10DC\886E.batFilesize
112B
MD56ef94417974ebe650c7ae3c27895531a
SHA1851ca765c8d2e45884e7072b6671949c54dc98c4
SHA256b03480f95891effa5441251bee8008fac20fda971f2798b9467a976b012df7d3
SHA51242fa655dd6d5befc7881fd23f338462e06df03adc5f9dc9394de7c2e418a8ed5368facc346ca6d7aed6ca128c49ef131a8f6f2d48be1267ea1147739484a34c6
-
C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exeFilesize
351KB
MD5257314a13ce06122c3b7020c3e7d8724
SHA1d8a8df5a073049cf9b7a78bb16fc4437accf11e5
SHA256508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409
SHA512b250b109e385e4103e110351d4ecb45d1e4ece7a2ab246122e82c1b9a7afbec9a193dd81874db69c3a1f56e40076ea7d102c2d4e8c0e12233806b071133997b8
-
C:\Users\Admin\AppData\Roaming\ActiApis\Appxtdll.exeFilesize
351KB
MD5257314a13ce06122c3b7020c3e7d8724
SHA1d8a8df5a073049cf9b7a78bb16fc4437accf11e5
SHA256508aea085ee84ecc8b8267e021924f1dda945afda2445f7fc31be74625a4c409
SHA512b250b109e385e4103e110351d4ecb45d1e4ece7a2ab246122e82c1b9a7afbec9a193dd81874db69c3a1f56e40076ea7d102c2d4e8c0e12233806b071133997b8
-
memory/1320-130-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1320-132-0x00000000021C0000-0x00000000021F0000-memory.dmpFilesize
192KB
-
memory/3556-135-0x0000000000000000-mapping.dmp
-
memory/3824-136-0x0000000000000000-mapping.dmp
-
memory/3824-139-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3824-141-0x0000000002090000-0x00000000020C0000-memory.dmpFilesize
192KB
-
memory/4420-133-0x0000000000000000-mapping.dmp