Analysis
-
max time kernel
408s -
max time network
406s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-10-2022 00:03
Behavioral task
behavioral1
Sample
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe
Resource
win10v2004-20220812-en
General
-
Target
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe
-
Size
210KB
-
MD5
85805d82dabc0dd52887500bac553b21
-
SHA1
d2113a557620ab04bc5d70d17196adf4d616fc46
-
SHA256
6bbc933ec989233a4eebb376bb7589ec5c3c8fd949b7a822fce432313440e886
-
SHA512
3489b0121df37ff4da162a761de8867bab34cdf5b76a31f2987fc7303e7fa78a74fedc7d2ec780127842b0410ed2e220274164b30b177b302990bdebdac941de
-
SSDEEP
6144:mqkjiG4DOVwfSqlFR25owgSidd3Xy441GE3UKKz1PFB:hdfDOerzRyo9rnYGKe1PFB
Malware Config
Extracted
gozi_ifsb
1010
supportsstats.com/geodata/version/ip2ext
neteworkgroup.com/geodata/version/ip2ext
highnetwork.pw/geodata/version/ip2ext
lostnetwork.in/geodata/version/ip2ext
sysconnections.net/geodata/version/ip2ext
lansupports.com/geodata/version/ip2ext
-
build
212578
-
exe_type
worker
-
server_id
30
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 760 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\C_ISroxy = "C:\\Windows\\system32\\bitsprx3.exe" 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe -
Drops file in System32 directory 2 IoCs
Processes:
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exedescription ioc process File created C:\Windows\system32\bitsprx3.exe 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe File opened for modification C:\Windows\system32\bitsprx3.exe 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28DB.bin" 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exedescription pid process target process PID 1148 set thread context of 1392 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exepid process 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1392 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exepid process 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1392 explorer.exe Token: SeShutdownPrivilege 1392 explorer.exe Token: SeShutdownPrivilege 1392 explorer.exe Token: SeShutdownPrivilege 1392 explorer.exe Token: SeShutdownPrivilege 1392 explorer.exe Token: SeShutdownPrivilege 1392 explorer.exe Token: SeShutdownPrivilege 1392 explorer.exe Token: SeShutdownPrivilege 1392 explorer.exe Token: SeShutdownPrivilege 1392 explorer.exe Token: SeShutdownPrivilege 1392 explorer.exe Token: 33 2016 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2016 AUDIODG.EXE Token: 33 2016 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2016 AUDIODG.EXE Token: SeShutdownPrivilege 1392 explorer.exe Token: SeShutdownPrivilege 1392 explorer.exe Token: SeShutdownPrivilege 1392 explorer.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
Processes:
explorer.exepid process 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe -
Suspicious use of SendNotifyMessage 23 IoCs
Processes:
explorer.exepid process 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe 1392 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 1392 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.execmd.exedescription pid process target process PID 1148 wrote to memory of 1392 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe explorer.exe PID 1148 wrote to memory of 1392 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe explorer.exe PID 1148 wrote to memory of 1392 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe explorer.exe PID 1148 wrote to memory of 1392 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe explorer.exe PID 1148 wrote to memory of 1392 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe explorer.exe PID 1148 wrote to memory of 1392 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe explorer.exe PID 1148 wrote to memory of 1392 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe explorer.exe PID 1148 wrote to memory of 760 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe cmd.exe PID 1148 wrote to memory of 760 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe cmd.exe PID 1148 wrote to memory of 760 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe cmd.exe PID 1148 wrote to memory of 760 1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe cmd.exe PID 760 wrote to memory of 2012 760 cmd.exe attrib.exe PID 760 wrote to memory of 2012 760 cmd.exe attrib.exe PID 760 wrote to memory of 2012 760 cmd.exe attrib.exe PID 760 wrote to memory of 2012 760 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe"C:\Users\Admin\AppData\Local\Temp\2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\534C.bat" "C:\Users\Admin\AppData\Local\Temp\2E5639~1.EXE""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\2E5639~1.EXE"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x56c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\534C.batFilesize
72B
MD59398ce54ecd4e77353dca5660559b46c
SHA147c0888e4ac000bb878e757efb3b11372117afca
SHA2568318b50c8e96f0f62d98b332f72bc57c8550a61db036e75539a6c3be601c7490
SHA5121f884b187349f8ba056f7e656eb586c53b2f2109c261fcc8143720dd20313d1a49c583ebfbf5a66f6efe885eb80ac4bd72fbe47ba0d3fe896778530414400f8e
-
memory/760-58-0x0000000000000000-mapping.dmp
-
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmpFilesize
8KB
-
memory/1392-55-0x0000000000000000-mapping.dmp
-
memory/1392-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmpFilesize
8KB
-
memory/1392-57-0x0000000001B10000-0x0000000001B96000-memory.dmpFilesize
536KB
-
memory/2012-60-0x0000000000000000-mapping.dmp