Analysis
-
max time kernel
499s -
max time network
502s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2022 23:52
Static task
static1
Behavioral task
behavioral1
Sample
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe
Resource
win10v2004-20220812-en
General
-
Target
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe
-
Size
428KB
-
MD5
e068e708d5b8a92634bc14e782243700
-
SHA1
cb249d47bf5d02a7f150085bb9ebedd437454105
-
SHA256
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab
-
SHA512
289e7510742180fdf2e95ae99d3a49af0e5cda30c85da6d6409b42cff915ba9a4b7d8ea9a8c4742b628474189ba36ead06eb6bcdcb93d12ff051d98b518e5fe5
-
SSDEEP
12288:brmFLGnyRj3cBRrAeMFSwxHDmfn3AAxifDBJ:+KyRj3cBRSbxj1RVJ
Malware Config
Extracted
gozi_ifsb
1071
127.0.0.1
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
adsnptsp.exepid process 1660 adsnptsp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AppRvice = "C:\\Users\\Admin\\AppData\\Roaming\\audibapi\\adsnptsp.exe" 249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3520 1660 WerFault.exe adsnptsp.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
adsnptsp.exepid process 1660 adsnptsp.exe 1660 adsnptsp.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.execmd.execmd.exeadsnptsp.exedescription pid process target process PID 4860 wrote to memory of 4856 4860 249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe cmd.exe PID 4860 wrote to memory of 4856 4860 249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe cmd.exe PID 4860 wrote to memory of 4856 4860 249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe cmd.exe PID 4856 wrote to memory of 4504 4856 cmd.exe cmd.exe PID 4856 wrote to memory of 4504 4856 cmd.exe cmd.exe PID 4856 wrote to memory of 4504 4856 cmd.exe cmd.exe PID 4504 wrote to memory of 1660 4504 cmd.exe adsnptsp.exe PID 4504 wrote to memory of 1660 4504 cmd.exe adsnptsp.exe PID 4504 wrote to memory of 1660 4504 cmd.exe adsnptsp.exe PID 1660 wrote to memory of 1204 1660 adsnptsp.exe svchost.exe PID 1660 wrote to memory of 1204 1660 adsnptsp.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe"C:\Users\Admin\AppData\Local\Temp\249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAA8\CAA9.bat" "C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exe" "C:\Users\Admin\AppData\Local\Temp\249BA9~1.EXE""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exe" "C:\Users\Admin\AppData\Local\Temp\249BA9~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exe"C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exe" "C:\Users\Admin\AppData\Local\Temp\249BA9~1.EXE"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 5645⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1660 -ip 16601⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CAA8\CAA9.batFilesize
112B
MD59fb729d63ca02e751668f9b571602ac2
SHA10e20f31830b7d3b2dd5c69f48b742137b342c38a
SHA256a1a2f67f724878c180a9128079586377d79b0bbbb251710294cfe1336037c8d9
SHA5123bdd3ff5bcd38dfe80883ff0ad271d47313f0048a48ebace73714fee2848ebcc4e5eaf89649035ad28c44805cd76916c17537db6482bcba5c34b2840952ec593
-
C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exeFilesize
428KB
MD5e068e708d5b8a92634bc14e782243700
SHA1cb249d47bf5d02a7f150085bb9ebedd437454105
SHA256249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab
SHA512289e7510742180fdf2e95ae99d3a49af0e5cda30c85da6d6409b42cff915ba9a4b7d8ea9a8c4742b628474189ba36ead06eb6bcdcb93d12ff051d98b518e5fe5
-
C:\Users\Admin\AppData\Roaming\audibapi\adsnptsp.exeFilesize
428KB
MD5e068e708d5b8a92634bc14e782243700
SHA1cb249d47bf5d02a7f150085bb9ebedd437454105
SHA256249ba989225747cf269f49e6c14b516031b5071bdbcb5b07843af6f920b2e1ab
SHA512289e7510742180fdf2e95ae99d3a49af0e5cda30c85da6d6409b42cff915ba9a4b7d8ea9a8c4742b628474189ba36ead06eb6bcdcb93d12ff051d98b518e5fe5
-
memory/1660-139-0x0000000000000000-mapping.dmp
-
memory/1660-142-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1660-144-0x00000000004E0000-0x00000000004E7000-memory.dmpFilesize
28KB
-
memory/1660-145-0x0000000000530000-0x0000000000533000-memory.dmpFilesize
12KB
-
memory/4504-138-0x0000000000000000-mapping.dmp
-
memory/4856-136-0x0000000000000000-mapping.dmp
-
memory/4860-132-0x0000000000A40000-0x0000000000A47000-memory.dmpFilesize
28KB
-
memory/4860-133-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4860-135-0x0000000000A90000-0x0000000000A93000-memory.dmpFilesize
12KB