Analysis
-
max time kernel
551s -
max time network
543s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-10-2022 23:52
Static task
static1
Behavioral task
behavioral1
Sample
026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe
Resource
win10v2004-20220901-en
General
-
Target
026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe
-
Size
302KB
-
MD5
f870c0d62691fc39194922e4a59fdc1c
-
SHA1
69369a1aa35592ca4eede5179060f2c58e9bae6e
-
SHA256
026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44
-
SHA512
92a452a2f63e9e214f98d14fcee1dd8f8c55b94ce90ed541986af08117f09779e159f76ae043ab6be4c49d254e4846448b632e0f33fcafb0be362a90a1a934ae
-
SSDEEP
6144:qTBSsdUvHN91B8LdCCoVupEo5KdEBaxRxnxXOWFi2HAwsih5:oUJvHNnBGdpOupzEdEByxW2g
Malware Config
Extracted
gozi_ifsb
1010
sys.cwthecw.com/bcms/assets/img
sys.whyblacklivesmatter.org/bcms/assets/img
sys.mohitsagarmusic.com/bcms/assets/img
lansystemstat.com/bcms/assets/img
highnetwork.pw/bcms/assets/img
lostnetwork.in/bcms/assets/img
sysconnections.net/bcms/assets/img
lansupports.com/bcms/assets/img
-
exe_type
worker
-
server_id
35
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1864 dsroXP32.exe 548 dsroXP32.exe -
Loads dropped DLL 2 IoCs
pid Process 376 cmd.exe 376 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dmvdXT32 = "C:\\Users\\Admin\\AppData\\Roaming\\clbcwcfg\\dsroXP32.exe" 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1840 set thread context of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1864 set thread context of 548 1864 dsroXP32.exe 32 PID 548 set thread context of 976 548 dsroXP32.exe 33 PID 976 set thread context of 1236 976 svchost.exe 19 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 548 dsroXP32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 548 dsroXP32.exe 976 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1236 Explorer.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1840 wrote to memory of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1840 wrote to memory of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1840 wrote to memory of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1840 wrote to memory of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1840 wrote to memory of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1840 wrote to memory of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1840 wrote to memory of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1840 wrote to memory of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1840 wrote to memory of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1840 wrote to memory of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1840 wrote to memory of 1388 1840 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 27 PID 1388 wrote to memory of 1748 1388 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 28 PID 1388 wrote to memory of 1748 1388 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 28 PID 1388 wrote to memory of 1748 1388 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 28 PID 1388 wrote to memory of 1748 1388 026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe 28 PID 1748 wrote to memory of 376 1748 cmd.exe 30 PID 1748 wrote to memory of 376 1748 cmd.exe 30 PID 1748 wrote to memory of 376 1748 cmd.exe 30 PID 1748 wrote to memory of 376 1748 cmd.exe 30 PID 376 wrote to memory of 1864 376 cmd.exe 31 PID 376 wrote to memory of 1864 376 cmd.exe 31 PID 376 wrote to memory of 1864 376 cmd.exe 31 PID 376 wrote to memory of 1864 376 cmd.exe 31 PID 1864 wrote to memory of 548 1864 dsroXP32.exe 32 PID 1864 wrote to memory of 548 1864 dsroXP32.exe 32 PID 1864 wrote to memory of 548 1864 dsroXP32.exe 32 PID 1864 wrote to memory of 548 1864 dsroXP32.exe 32 PID 1864 wrote to memory of 548 1864 dsroXP32.exe 32 PID 1864 wrote to memory of 548 1864 dsroXP32.exe 32 PID 1864 wrote to memory of 548 1864 dsroXP32.exe 32 PID 1864 wrote to memory of 548 1864 dsroXP32.exe 32 PID 1864 wrote to memory of 548 1864 dsroXP32.exe 32 PID 1864 wrote to memory of 548 1864 dsroXP32.exe 32 PID 1864 wrote to memory of 548 1864 dsroXP32.exe 32 PID 548 wrote to memory of 976 548 dsroXP32.exe 33 PID 548 wrote to memory of 976 548 dsroXP32.exe 33 PID 548 wrote to memory of 976 548 dsroXP32.exe 33 PID 548 wrote to memory of 976 548 dsroXP32.exe 33 PID 548 wrote to memory of 976 548 dsroXP32.exe 33 PID 548 wrote to memory of 976 548 dsroXP32.exe 33 PID 548 wrote to memory of 976 548 dsroXP32.exe 33 PID 976 wrote to memory of 1236 976 svchost.exe 19 PID 976 wrote to memory of 1236 976 svchost.exe 19 PID 976 wrote to memory of 1236 976 svchost.exe 19
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe"C:\Users\Admin\AppData\Local\Temp\026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe"C:\Users\Admin\AppData\Local\Temp\026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44.exe"3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\E8C7\E607.bat" "C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe" "C:\Users\Admin\AppData\Local\Temp\026FD6~1.EXE""4⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe" "C:\Users\Admin\AppData\Local\Temp\026FD6~1.EXE""5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe"C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe" "C:\Users\Admin\AppData\Local\Temp\026FD6~1.EXE"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe"C:\Users\Admin\AppData\Roaming\clbcwcfg\dsroXP32.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:976
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108B
MD5f810037d3b967d97fa05fb81d47d6ca1
SHA19cb859796e022b98ca0b52cd05c7aeb455043401
SHA25621e5c5cc757311737ad031aea3360d93e0d39590aee66f8c4085293f5a8a2700
SHA5126199051e0d29baa4d7bb2e6a15eee82c28062ecbb0ca7e0314fcc9fa9b5528bfddbc56dfe8cefb87fc67c9cfda9f0149ad817e53872f44a506ec51678c183efd
-
Filesize
302KB
MD5f870c0d62691fc39194922e4a59fdc1c
SHA169369a1aa35592ca4eede5179060f2c58e9bae6e
SHA256026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44
SHA51292a452a2f63e9e214f98d14fcee1dd8f8c55b94ce90ed541986af08117f09779e159f76ae043ab6be4c49d254e4846448b632e0f33fcafb0be362a90a1a934ae
-
Filesize
302KB
MD5f870c0d62691fc39194922e4a59fdc1c
SHA169369a1aa35592ca4eede5179060f2c58e9bae6e
SHA256026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44
SHA51292a452a2f63e9e214f98d14fcee1dd8f8c55b94ce90ed541986af08117f09779e159f76ae043ab6be4c49d254e4846448b632e0f33fcafb0be362a90a1a934ae
-
Filesize
302KB
MD5f870c0d62691fc39194922e4a59fdc1c
SHA169369a1aa35592ca4eede5179060f2c58e9bae6e
SHA256026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44
SHA51292a452a2f63e9e214f98d14fcee1dd8f8c55b94ce90ed541986af08117f09779e159f76ae043ab6be4c49d254e4846448b632e0f33fcafb0be362a90a1a934ae
-
Filesize
302KB
MD5f870c0d62691fc39194922e4a59fdc1c
SHA169369a1aa35592ca4eede5179060f2c58e9bae6e
SHA256026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44
SHA51292a452a2f63e9e214f98d14fcee1dd8f8c55b94ce90ed541986af08117f09779e159f76ae043ab6be4c49d254e4846448b632e0f33fcafb0be362a90a1a934ae
-
Filesize
302KB
MD5f870c0d62691fc39194922e4a59fdc1c
SHA169369a1aa35592ca4eede5179060f2c58e9bae6e
SHA256026fd6ab8b5f12d1ae0795f7ad79b05a7ca1dc83e996cb7ee37f1b417d66de44
SHA51292a452a2f63e9e214f98d14fcee1dd8f8c55b94ce90ed541986af08117f09779e159f76ae043ab6be4c49d254e4846448b632e0f33fcafb0be362a90a1a934ae