Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2022 18:32
Static task
static1
Behavioral task
behavioral1
Sample
53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exe
Resource
win10v2004-20220722-en
General
-
Target
53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exe
-
Size
474KB
-
MD5
8c923cc9562628ba9c41748c2bb1c2d3
-
SHA1
d02a1b75c3a060b7be1371eca9a475b60e027353
-
SHA256
53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c
-
SHA512
e451c5784d17a944b4f41309e1c6be3c012b071e49da87c05b12eb2e416a62b6dd455ff159f516a7aa3a16ac0e1c202e1c87b7abd7533b69c0f7940f428ce677
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Bingutil.exepid process 3592 Bingutil.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation 53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcGeecfc = "C:\\Users\\Admin\\AppData\\Roaming\\capahost\\Bingutil.exe" 53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4732 3592 WerFault.exe Bingutil.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Bingutil.exepid process 3592 Bingutil.exe 3592 Bingutil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.execmd.execmd.exeBingutil.exedescription pid process target process PID 4412 wrote to memory of 464 4412 53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exe cmd.exe PID 4412 wrote to memory of 464 4412 53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exe cmd.exe PID 4412 wrote to memory of 464 4412 53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exe cmd.exe PID 464 wrote to memory of 4472 464 cmd.exe cmd.exe PID 464 wrote to memory of 4472 464 cmd.exe cmd.exe PID 464 wrote to memory of 4472 464 cmd.exe cmd.exe PID 464 wrote to memory of 4008 464 cmd.exe cmd.exe PID 464 wrote to memory of 4008 464 cmd.exe cmd.exe PID 464 wrote to memory of 4008 464 cmd.exe cmd.exe PID 464 wrote to memory of 4392 464 cmd.exe cmd.exe PID 464 wrote to memory of 4392 464 cmd.exe cmd.exe PID 464 wrote to memory of 4392 464 cmd.exe cmd.exe PID 464 wrote to memory of 1404 464 cmd.exe cmd.exe PID 464 wrote to memory of 1404 464 cmd.exe cmd.exe PID 464 wrote to memory of 1404 464 cmd.exe cmd.exe PID 1404 wrote to memory of 3592 1404 cmd.exe Bingutil.exe PID 1404 wrote to memory of 3592 1404 cmd.exe Bingutil.exe PID 1404 wrote to memory of 3592 1404 cmd.exe Bingutil.exe PID 3592 wrote to memory of 1080 3592 Bingutil.exe svchost.exe PID 3592 wrote to memory of 1080 3592 Bingutil.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exe"C:\Users\Admin\AppData\Local\Temp\53f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D68A\51.bat" "C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\53F126~1.EXE""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\53F126~1.EXE""3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\53F126~1.EXE""3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\53F126~1.EXE""3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\53F126~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe"C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\53F126~1.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 5725⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3592 -ip 35921⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D68A\51.batFilesize
112B
MD535da9bc48543a78d715d72cfa7cd2133
SHA1203748c47264d8ff9879795fb09024e84b275c7f
SHA256062562b367a56af1fe5a073b69d2e00ddce555cd3ac0b28cde4781e1bbde2bec
SHA512f28152fcfc0271111aad11bcd83ceea3bf16585f52800d3532d995942a21f24837b762a3dd685d669c43f5cc8ce1fff75f9df0a657da4aae57a97e166022c317
-
C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exeFilesize
474KB
MD58c923cc9562628ba9c41748c2bb1c2d3
SHA1d02a1b75c3a060b7be1371eca9a475b60e027353
SHA25653f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c
SHA512e451c5784d17a944b4f41309e1c6be3c012b071e49da87c05b12eb2e416a62b6dd455ff159f516a7aa3a16ac0e1c202e1c87b7abd7533b69c0f7940f428ce677
-
C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exeFilesize
474KB
MD58c923cc9562628ba9c41748c2bb1c2d3
SHA1d02a1b75c3a060b7be1371eca9a475b60e027353
SHA25653f1260b4d020c05bd212aa82638df2b5b55d3e608bbf1a019662dd3b299583c
SHA512e451c5784d17a944b4f41309e1c6be3c012b071e49da87c05b12eb2e416a62b6dd455ff159f516a7aa3a16ac0e1c202e1c87b7abd7533b69c0f7940f428ce677
-
memory/464-135-0x0000000000000000-mapping.dmp
-
memory/1404-140-0x0000000000000000-mapping.dmp
-
memory/3592-141-0x0000000000000000-mapping.dmp
-
memory/3592-144-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/4008-138-0x0000000000000000-mapping.dmp
-
memory/4392-139-0x0000000000000000-mapping.dmp
-
memory/4412-132-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/4412-134-0x0000000002200000-0x0000000002230000-memory.dmpFilesize
192KB
-
memory/4472-137-0x0000000000000000-mapping.dmp