Analysis
-
max time kernel
106s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-10-2022 18:12
Static task
static1
Behavioral task
behavioral1
Sample
95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe
Resource
win10v2004-20220812-en
General
-
Target
95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe
-
Size
330KB
-
MD5
6a4b1cfb80bdb519dcd780cf3394de20
-
SHA1
e14344457221584f5ae03f041eeddcec1c941597
-
SHA256
95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80
-
SHA512
46acb4dc1311a7e0f016f44b3c8cf1d140b65bd5de57c2566d85f0289a91e10fba9df9493c8a8ad3c838d6b4ff85c1343dcd80b24f52876f3eb2703f3a6d417f
-
SSDEEP
6144:wikrw8J6L91p9xzyohKhRcIERqcKvl9W695OHIue/Ytijm/:M8iE93jkIIEwc6l9W62Hht
Malware Config
Extracted
gozi_ifsb
1010
siasecuritychecks.com
195.20.141.92
-
exe_type
worker
-
server_id
12
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1340 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhcpprop = "C:\\Windows\\system32\\Audiwcfg.exe" 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe -
Drops file in System32 directory 2 IoCs
Processes:
95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exedescription ioc process File created C:\Windows\system32\Audiwcfg.exe 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe File opened for modification C:\Windows\system32\Audiwcfg.exe 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exedescription pid process target process PID 1460 set thread context of 936 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exepid process 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 936 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exepid process 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe Token: 33 528 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 528 AUDIODG.EXE Token: 33 528 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 528 AUDIODG.EXE Token: SeShutdownPrivilege 936 explorer.exe Token: SeShutdownPrivilege 936 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe 936 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.execmd.exedescription pid process target process PID 1460 wrote to memory of 936 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe explorer.exe PID 1460 wrote to memory of 936 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe explorer.exe PID 1460 wrote to memory of 936 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe explorer.exe PID 1460 wrote to memory of 936 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe explorer.exe PID 1460 wrote to memory of 936 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe explorer.exe PID 1460 wrote to memory of 936 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe explorer.exe PID 1460 wrote to memory of 936 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe explorer.exe PID 1460 wrote to memory of 1340 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe cmd.exe PID 1460 wrote to memory of 1340 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe cmd.exe PID 1460 wrote to memory of 1340 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe cmd.exe PID 1460 wrote to memory of 1340 1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe cmd.exe PID 1340 wrote to memory of 1448 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1448 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1448 1340 cmd.exe attrib.exe PID 1340 wrote to memory of 1448 1340 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe"C:\Users\Admin\AppData\Local\Temp\95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\C4C4.bat" "C:\Users\Admin\AppData\Local\Temp\95B107~1.EXE""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\95B107~1.EXE"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5641⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C4C4.batFilesize
72B
MD513eb692980fe6d822eb6208a65f604cb
SHA1dcc4b37e47bd10258c5d595a8a4fe52ade75186b
SHA2564f69991c52bfd35f0a8d7430293a095b7bfcb467a8205b5001a44f16bfc85b32
SHA512764509732549899b78b409c07059298f3c249bdd8b0beda32f5077b5d21c7c2c09ccb3097fa14bf65369bd5d48dc0f53ac5e38d7793c4b672cbe26307b92c9f8
-
memory/936-56-0x0000000000000000-mapping.dmp
-
memory/936-58-0x000007FEFB151000-0x000007FEFB153000-memory.dmpFilesize
8KB
-
memory/936-63-0x0000000001B40000-0x0000000001BA2000-memory.dmpFilesize
392KB
-
memory/1340-59-0x0000000000000000-mapping.dmp
-
memory/1448-62-0x0000000000000000-mapping.dmp
-
memory/1460-54-0x0000000000230000-0x000000000025F000-memory.dmpFilesize
188KB
-
memory/1460-55-0x0000000075981000-0x0000000075983000-memory.dmpFilesize
8KB
-
memory/1460-57-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1460-60-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB