Analysis
-
max time kernel
152s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
02-10-2022 05:20
General
-
Target
05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe
-
Size
890KB
-
MD5
6c8cb4b72384977bad413dee3bc30d66
-
SHA1
83d0110ea6ee7ef084930cd09651d2ac6cdf0cf8
-
SHA256
05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29
-
SHA512
eb8ef5638f0d35130a801bf46f45d38bfbb339c86e64b45dfa767b210744e3b78f6c819f489ee711baff20147fb48a4ba227b86e8dbcb0d4d50832baab4be7ef
-
SSDEEP
24576:Ria6ZRQk/vMSfj36oi7pMyb5/JeWsxF3B840Ef:RGI7pM458DFp0
Malware Config
Signatures
-
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in System32 directory 24 IoCs
-
Drops file in Program Files directory 10 IoCs
-
Drops file in Windows directory 21 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 56 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe"C:\Users\Admin\AppData\Local\Temp\05e82296d30fe9cdf01d61726e84a597f30be00bdbf11b4c97c14135c50f3f29.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://clownfish-translator.com/download.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1828 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3845472200-3839195424-595303356-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
284KB
MD5e38da67101f6875d1e6ea71b2f703b69
SHA1f66f9b87805cbda4e59b3cb6df841e3f981c47c4
SHA256f3e394216f6b282ca30ee018ec31af065755a8505f75411d371e138cd0b08fe1
SHA512bf2e346f543868bb2286a5b4bd31452c9df159a74cae196f721aef6662640f60a8dedb096376f971a38cd14a5c3e99d07a0d9d3de1d54c32e5dbbb6392eeae63
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
60KB
MD5d15aaa7c9be910a9898260767e2490e1
SHA12090c53f8d9fc3fbdbafd3a1e4dc25520eb74388
SHA256f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e
SHA5127e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD57ce796fcb1c3fc255f29999d077cc31a
SHA1138388b9cc1366353b74ec80001e314d1cfd3430
SHA256f2981a4abfdfaba96b169437d0f11e35a0c50de5c7ffbd3a3df50aa77d9978ea
SHA512f3aaf56b6bfb3e1e3f1b960a58bba02d7861c8a562a9d559e4d8d13a35c412a8958608de63f054903531b5a08964fb933b8a0d41f56595e7c9ed1864d48ae9f6
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.datFilesize
5KB
MD5bb205d9296733c021dcdc248496eb47f
SHA1f6200c094eefd46be43a63cb311548311ee8bdf4
SHA256a1cb89abb382979b9605a9320fe9f5c5ed88560f829082d6b95c131396d9cd05
SHA512eb72ab98b7fcac29b0ae92a890ec29ab33bd6943c28ab6f4b173fbf94a965e1cfc8245979d62d4c29445a380c3fb1f6f54c7fd106bfd3f0951011377109a20e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V8O92W9P.txtFilesize
608B
MD5da2c03ed0ae24f6da9a3d13c219899db
SHA1095ac3d0c8a1d5d21c2d68a47fdf40666a1b35f5
SHA256038fd51655ceef993ab89b47c8ab71032420f8fcdefcf8b1278a25019c55ac1c
SHA5122e786caf85cba8aa47d9932af738a7658c904ff1b18851198c4bfac89caa909772b25aee0a844293997842ce6f8fbee3f4c887e32fc3593e7a9ae5437c5fc3c5
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
203KB
MD574a779f491d3e638e34649217f233651
SHA13e2ef3107a57d9aea7be2b1e4a7dabfad503230b
SHA25690dd6fad0b6a87c5c55e3d57d78f409f55643d783445030bad81422ca922f775
SHA51247118a2f6ffaf40f0189f1f735bf70cb696976944e249cb8694b744a96bf8961a940558fac41f0bb3e8819bc4b55e8c72c6c912d67beb0913581deee66a28dad
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
203KB
MD574a779f491d3e638e34649217f233651
SHA13e2ef3107a57d9aea7be2b1e4a7dabfad503230b
SHA25690dd6fad0b6a87c5c55e3d57d78f409f55643d783445030bad81422ca922f775
SHA51247118a2f6ffaf40f0189f1f735bf70cb696976944e249cb8694b744a96bf8961a940558fac41f0bb3e8819bc4b55e8c72c6c912d67beb0913581deee66a28dad
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
234KB
MD5ef5fa52e9f2e54874583f203ee0e7acf
SHA1723cacc0884dac0a010af0659276e3c7eaf85dfe
SHA256f6b5af2c1ea3ae9ecfad97f3f7ed063ee89c3cd99e2cf5c1b0d97f7eb20f4960
SHA5124eb92672d3051d733a4b2b7fc834985cad49184012efee6d04cdcdaa9639e9aedb956494d25b1b783e75d9c5ada13403fab6f3f8bef803f36bc1358753a67052
-
\??\c:\windows\SysWOW64\svchost.exeFilesize
164KB
MD59fe284bcb59b51b5e43c4540e275ecf1
SHA1a6a2421d6935c0984873e0488edf4673f19a29c0
SHA25691d23c21af253fa3bb1d5e1d5594163ef57dbf176307921177326389a82d7443
SHA51204a1b6de2aed3f720e2842211e719ca2d11d8db6059855da1683defac822a76fa2011196c7ae5d9f675d093d8a923e703e8c921c52a4323671fd312de5c864ba
-
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exeFilesize
234KB
MD5ef5fa52e9f2e54874583f203ee0e7acf
SHA1723cacc0884dac0a010af0659276e3c7eaf85dfe
SHA256f6b5af2c1ea3ae9ecfad97f3f7ed063ee89c3cd99e2cf5c1b0d97f7eb20f4960
SHA5124eb92672d3051d733a4b2b7fc834985cad49184012efee6d04cdcdaa9639e9aedb956494d25b1b783e75d9c5ada13403fab6f3f8bef803f36bc1358753a67052
-
memory/276-60-0x0000000010000000-0x0000000010070000-memory.dmpFilesize
448KB
-
memory/276-58-0x0000000010000000-0x0000000010070000-memory.dmpFilesize
448KB
-
memory/596-66-0x000000002E000000-0x000000002E086000-memory.dmpFilesize
536KB
-
memory/596-72-0x000000002E000000-0x000000002E086000-memory.dmpFilesize
536KB
-
memory/676-90-0x00000000029D0000-0x00000000029E0000-memory.dmpFilesize
64KB
-
memory/676-74-0x00000000028D0000-0x00000000028E0000-memory.dmpFilesize
64KB
-
memory/676-106-0x0000000003E70000-0x0000000003E78000-memory.dmpFilesize
32KB
-
memory/676-109-0x0000000003E70000-0x0000000003E78000-memory.dmpFilesize
32KB
-
memory/676-110-0x0000000003ED0000-0x0000000003ED8000-memory.dmpFilesize
32KB
-
memory/908-54-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB
-
memory/908-56-0x0000000000400000-0x0000000000607000-memory.dmpFilesize
2.0MB
-
memory/908-55-0x0000000000400000-0x0000000000607000-memory.dmpFilesize
2.0MB
-
memory/1144-64-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmpFilesize
8KB
-
memory/1544-112-0x0000000000000000-mapping.dmp
-
memory/1704-111-0x0000000000000000-mapping.dmp
-
memory/1988-62-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB