Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2022 00:29
Static task
static1
Behavioral task
behavioral1
Sample
5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe
Resource
win10v2004-20220722-en
General
-
Target
5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe
-
Size
361KB
-
MD5
64139ece03d78520b9dae8d1313da69e
-
SHA1
45e19e267688c8472ce882afe93becb043b718d1
-
SHA256
5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80
-
SHA512
2daa3467bb5bb3af17f94503946eab4f07e8a7e09906ed54d843aa80ae90ced32d574b08b7c1ee78c56d3a7a950799cafa9705d1c39df3e9888865a004db7b84
Malware Config
Extracted
gozi_ifsb
1010
diuolirt.at
deopliazae.at
nifredao.com
filokiyurt.at
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Bingutil.exepid process 4896 Bingutil.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation 5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AcGeecfc = "C:\\Users\\Admin\\AppData\\Roaming\\capahost\\Bingutil.exe" 5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2064 4896 WerFault.exe Bingutil.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Bingutil.exepid process 4896 Bingutil.exe 4896 Bingutil.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.execmd.execmd.exeBingutil.exedescription pid process target process PID 5048 wrote to memory of 4444 5048 5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe cmd.exe PID 5048 wrote to memory of 4444 5048 5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe cmd.exe PID 5048 wrote to memory of 4444 5048 5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe cmd.exe PID 4444 wrote to memory of 2412 4444 cmd.exe cmd.exe PID 4444 wrote to memory of 2412 4444 cmd.exe cmd.exe PID 4444 wrote to memory of 2412 4444 cmd.exe cmd.exe PID 2412 wrote to memory of 4896 2412 cmd.exe Bingutil.exe PID 2412 wrote to memory of 4896 2412 cmd.exe Bingutil.exe PID 2412 wrote to memory of 4896 2412 cmd.exe Bingutil.exe PID 4896 wrote to memory of 1800 4896 Bingutil.exe svchost.exe PID 4896 wrote to memory of 1800 4896 Bingutil.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe"C:\Users\Admin\AppData\Local\Temp\5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\22E\8117.bat" "C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\5B3F58~1.EXE""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\5B3F58~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe"C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\5B3F58~1.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 5605⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4896 -ip 48961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\22E\8117.batFilesize
112B
MD5ab67e168c79bbe6272bfa20c8b07718c
SHA129f2373db9c15ea2755bd387a900679447449ea2
SHA256f385d773062f6036a0d3693b3054f33031f69390b58a51124369ba4a5fd4453c
SHA512116a6c62e5d5acda63b9cacd0e10201e598b75130a587019137899f5b58907705252f19565e2f2ebe49f1e3a2232564b121e0d076a4a927850830c103182343b
-
C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exeFilesize
361KB
MD564139ece03d78520b9dae8d1313da69e
SHA145e19e267688c8472ce882afe93becb043b718d1
SHA2565b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80
SHA5122daa3467bb5bb3af17f94503946eab4f07e8a7e09906ed54d843aa80ae90ced32d574b08b7c1ee78c56d3a7a950799cafa9705d1c39df3e9888865a004db7b84
-
C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exeFilesize
361KB
MD564139ece03d78520b9dae8d1313da69e
SHA145e19e267688c8472ce882afe93becb043b718d1
SHA2565b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80
SHA5122daa3467bb5bb3af17f94503946eab4f07e8a7e09906ed54d843aa80ae90ced32d574b08b7c1ee78c56d3a7a950799cafa9705d1c39df3e9888865a004db7b84
-
memory/2412-137-0x0000000000000000-mapping.dmp
-
memory/4444-135-0x0000000000000000-mapping.dmp
-
memory/4896-138-0x0000000000000000-mapping.dmp
-
memory/4896-141-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/4896-143-0x00000000005F0000-0x0000000000620000-memory.dmpFilesize
192KB
-
memory/5048-132-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/5048-134-0x0000000000630000-0x0000000000660000-memory.dmpFilesize
192KB