Analysis
-
max time kernel
97s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-10-2022 23:09
Static task
static1
Behavioral task
behavioral1
Sample
f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe
Resource
win10v2004-20220812-en
General
-
Target
f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe
-
Size
244KB
-
MD5
796f5aaf5dbdbcff4a04358e45f28920
-
SHA1
4695faa6d9c02fdb02cd91629e8b3eca2f14fa56
-
SHA256
f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195
-
SHA512
f6770a548c83aa950408490e45d3289e1d22d5eca567e4e637b135fb7085f78fe26663d7c4fdc7df83575030a1c1015d51b0980d9550509ebf33335c6fee7815
-
SSDEEP
6144:hKxMcnHkSbJCtBvwYkbvzXRrhWeW835EkbroAx:+HZYBo3h3fh
Malware Config
Extracted
gozi_ifsb
3
rootapi.su
root-api.su
rootapigoogle.su
rootapi-google.su
root-apigoogle.su
rootgoogle.su
root-google.su
rootgoogleapi.su
rootgoogle-api.su
root-googleapi.su
91.226.212.148
-
exe_type
worker
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1488 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\newdller = "C:\\Windows\\system32\\compvert.exe" f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe -
Drops file in System32 directory 2 IoCs
Processes:
f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exedescription ioc process File created C:\Windows\SysWOW64\compvert.exe f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe File opened for modification C:\Windows\SysWOW64\compvert.exe f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exedescription pid process target process PID 1168 set thread context of 1728 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
explorer.exepid process 1728 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1728 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exepid process 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1728 explorer.exe Token: SeShutdownPrivilege 1728 explorer.exe Token: SeShutdownPrivilege 1728 explorer.exe Token: SeShutdownPrivilege 1728 explorer.exe Token: SeShutdownPrivilege 1728 explorer.exe Token: SeShutdownPrivilege 1728 explorer.exe Token: SeShutdownPrivilege 1728 explorer.exe Token: SeShutdownPrivilege 1728 explorer.exe Token: SeShutdownPrivilege 1728 explorer.exe Token: 33 1408 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1408 AUDIODG.EXE Token: 33 1408 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1408 AUDIODG.EXE Token: SeShutdownPrivilege 1728 explorer.exe Token: SeShutdownPrivilege 1728 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe 1728 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.execmd.exedescription pid process target process PID 1168 wrote to memory of 1728 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe explorer.exe PID 1168 wrote to memory of 1728 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe explorer.exe PID 1168 wrote to memory of 1728 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe explorer.exe PID 1168 wrote to memory of 1728 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe explorer.exe PID 1168 wrote to memory of 1728 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe explorer.exe PID 1168 wrote to memory of 1728 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe explorer.exe PID 1168 wrote to memory of 1728 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe explorer.exe PID 1168 wrote to memory of 1488 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe cmd.exe PID 1168 wrote to memory of 1488 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe cmd.exe PID 1168 wrote to memory of 1488 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe cmd.exe PID 1168 wrote to memory of 1488 1168 f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe cmd.exe PID 1488 wrote to memory of 832 1488 cmd.exe attrib.exe PID 1488 wrote to memory of 832 1488 cmd.exe attrib.exe PID 1488 wrote to memory of 832 1488 cmd.exe attrib.exe PID 1488 wrote to memory of 832 1488 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe"C:\Users\Admin\AppData\Local\Temp\f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7142334.bat" "C:\Users\Admin\AppData\Local\Temp\f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\f1c6a47ac95ce77c9794dab6056f49738a84cf9e443350ccecc5918829b2c195.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5901⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7142334.batFilesize
72B
MD503471582186b6b08ab9c17c0465181c4
SHA11bc24aec3fd45a8d5cc6c4e7854f260bb555328c
SHA2563f867d8898dc9193004b4d61724c3d975d1566fa6fddc912161e29b222f29285
SHA5125a6903c049066b8c2eefa021731a19350310a47d182789b32b0803ce57ec7483bc5824ab671bd1a71fcf4bdfe8d81d0009627cba9d77397f4e46079264d7fbbe
-
memory/832-64-0x0000000000000000-mapping.dmp
-
memory/1168-54-0x0000000076401000-0x0000000076403000-memory.dmpFilesize
8KB
-
memory/1168-55-0x0000000000130000-0x000000000015F000-memory.dmpFilesize
188KB
-
memory/1168-56-0x0000000000130000-0x000000000015E000-memory.dmpFilesize
184KB
-
memory/1168-59-0x0000000000130000-0x000000000015E000-memory.dmpFilesize
184KB
-
memory/1168-62-0x0000000000130000-0x000000000015E000-memory.dmpFilesize
184KB
-
memory/1488-61-0x0000000000000000-mapping.dmp
-
memory/1728-57-0x0000000000000000-mapping.dmp
-
memory/1728-58-0x00000000002D0000-0x0000000000328000-memory.dmpFilesize
352KB
-
memory/1728-60-0x000007FEFC661000-0x000007FEFC663000-memory.dmpFilesize
8KB