Analysis
-
max time kernel
131s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 19:42
Static task
static1
Behavioral task
behavioral1
Sample
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe
Resource
win10v2004-20220722-en
General
-
Target
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe
-
Size
388KB
-
MD5
5031ce596f9f1898fe11cfa7e8858795
-
SHA1
ed60c8e01112ae2ae731a34703e241138bd6575d
-
SHA256
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d
-
SHA512
1bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
adsngpui.exepid process 592 adsngpui.exe -
Deletes itself 1 IoCs
Processes:
adsngpui.exepid process 592 adsngpui.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 972 cmd.exe 972 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\Devipast = "C:\\Users\\Admin\\AppData\\Roaming\\avictnet\\adsngpui.exe" 5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
adsngpui.exesvchost.exedescription pid process target process PID 592 set thread context of 1308 592 adsngpui.exe svchost.exe PID 1308 set thread context of 1184 1308 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
adsngpui.exeExplorer.EXEpid process 592 adsngpui.exe 1184 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
adsngpui.exesvchost.exepid process 592 adsngpui.exe 1308 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1184 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.execmd.execmd.exeadsngpui.exesvchost.exedescription pid process target process PID 1980 wrote to memory of 2024 1980 5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe cmd.exe PID 1980 wrote to memory of 2024 1980 5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe cmd.exe PID 1980 wrote to memory of 2024 1980 5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe cmd.exe PID 1980 wrote to memory of 2024 1980 5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe cmd.exe PID 2024 wrote to memory of 972 2024 cmd.exe cmd.exe PID 2024 wrote to memory of 972 2024 cmd.exe cmd.exe PID 2024 wrote to memory of 972 2024 cmd.exe cmd.exe PID 2024 wrote to memory of 972 2024 cmd.exe cmd.exe PID 972 wrote to memory of 592 972 cmd.exe adsngpui.exe PID 972 wrote to memory of 592 972 cmd.exe adsngpui.exe PID 972 wrote to memory of 592 972 cmd.exe adsngpui.exe PID 972 wrote to memory of 592 972 cmd.exe adsngpui.exe PID 592 wrote to memory of 1308 592 adsngpui.exe svchost.exe PID 592 wrote to memory of 1308 592 adsngpui.exe svchost.exe PID 592 wrote to memory of 1308 592 adsngpui.exe svchost.exe PID 592 wrote to memory of 1308 592 adsngpui.exe svchost.exe PID 592 wrote to memory of 1308 592 adsngpui.exe svchost.exe PID 592 wrote to memory of 1308 592 adsngpui.exe svchost.exe PID 592 wrote to memory of 1308 592 adsngpui.exe svchost.exe PID 1308 wrote to memory of 1184 1308 svchost.exe Explorer.EXE PID 1308 wrote to memory of 1184 1308 svchost.exe Explorer.EXE PID 1308 wrote to memory of 1184 1308 svchost.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe"C:\Users\Admin\AppData\Local\Temp\5ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\28E8\D6.bat" "C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe" "C:\Users\Admin\AppData\Local\Temp\5EA26D~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe" "C:\Users\Admin\AppData\Local\Temp\5EA26D~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe"C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exe" "C:\Users\Admin\AppData\Local\Temp\5EA26D~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\28E8\D6.batFilesize
108B
MD53d9c337d2305043624a0324984a78307
SHA178834c56bf3edaa53114a2f043038fae766d7085
SHA256307ecb24d02715d360a8c4ee167720d6ec199c8c6adc5bf424b3c808ece057ae
SHA5123ccedc03c005e1898c5380006be0bd34df7c7b079c908573c174b0a0ad7874eff4149b39f6d3ebc8672bb77b83d43964989d1204019bf6f132235ecff0881c7e
-
C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exeFilesize
388KB
MD55031ce596f9f1898fe11cfa7e8858795
SHA1ed60c8e01112ae2ae731a34703e241138bd6575d
SHA2565ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d
SHA5121bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f
-
C:\Users\Admin\AppData\Roaming\avictnet\adsngpui.exeFilesize
388KB
MD55031ce596f9f1898fe11cfa7e8858795
SHA1ed60c8e01112ae2ae731a34703e241138bd6575d
SHA2565ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d
SHA5121bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f
-
\Users\Admin\AppData\Roaming\avictnet\adsngpui.exeFilesize
388KB
MD55031ce596f9f1898fe11cfa7e8858795
SHA1ed60c8e01112ae2ae731a34703e241138bd6575d
SHA2565ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d
SHA5121bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f
-
\Users\Admin\AppData\Roaming\avictnet\adsngpui.exeFilesize
388KB
MD55031ce596f9f1898fe11cfa7e8858795
SHA1ed60c8e01112ae2ae731a34703e241138bd6575d
SHA2565ea26dac1374c00472c64c6e2b68688eb7c090bc831026c6386db28555e6b05d
SHA5121bb76a86527720dd7cae237d0f7a8c70583cc9a2fc02dea287f5d60557657343d05487ef7ffe156efda1f09721f7b8a5a00b52cee88f283e2506bec6d9b9284f
-
memory/592-64-0x0000000000000000-mapping.dmp
-
memory/592-67-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/592-69-0x0000000000220000-0x0000000000250000-memory.dmpFilesize
192KB
-
memory/972-60-0x0000000000000000-mapping.dmp
-
memory/1184-72-0x0000000002A30000-0x0000000002AA5000-memory.dmpFilesize
468KB
-
memory/1184-73-0x0000000002A30000-0x0000000002AA5000-memory.dmpFilesize
468KB
-
memory/1308-70-0x0000000000000000-mapping.dmp
-
memory/1308-71-0x00000000003E0000-0x0000000000455000-memory.dmpFilesize
468KB
-
memory/1980-57-0x00000000001C0000-0x00000000001F0000-memory.dmpFilesize
192KB
-
memory/1980-54-0x0000000075C01000-0x0000000075C03000-memory.dmpFilesize
8KB
-
memory/1980-55-0x0000000000400000-0x0000000000463000-memory.dmpFilesize
396KB
-
memory/2024-58-0x0000000000000000-mapping.dmp