Analysis

  • max time kernel
    589s
  • max time network
    514s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2022 00:07

General

  • Target

    2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

  • Size

    210KB

  • MD5

    85805d82dabc0dd52887500bac553b21

  • SHA1

    d2113a557620ab04bc5d70d17196adf4d616fc46

  • SHA256

    6bbc933ec989233a4eebb376bb7589ec5c3c8fd949b7a822fce432313440e886

  • SHA512

    3489b0121df37ff4da162a761de8867bab34cdf5b76a31f2987fc7303e7fa78a74fedc7d2ec780127842b0410ed2e220274164b30b177b302990bdebdac941de

  • SSDEEP

    6144:mqkjiG4DOVwfSqlFR25owgSidd3Xy441GE3UKKz1PFB:hdfDOerzRyo9rnYGKe1PFB

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe
    "C:\Users\Admin\AppData\Local\Temp\2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3768
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9965.bat" "C:\Users\Admin\AppData\Local\Temp\2E5639~1.EXE""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\2E5639~1.EXE"
        3⤵
        • Views/modifies file attributes
        PID:1124
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2784
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9965.bat

    Filesize

    76B

    MD5

    f8b5cde930fe119907120adc36e2c950

    SHA1

    aff0d7fdb346f3d5b211ed0eff837693350e6a54

    SHA256

    6f01c120b4d8e7572807f1907287d98cf76d8172a3ec9495854fd8a418e6f1b5

    SHA512

    f079c66269a357356c7fc4bdcb282b3e3f165d2911b513e53beb14df89c8ea038a74511b62435932e2c8c4d24da221de51cba2631fb9ea88d49703d3c2375313

  • memory/4956-154-0x000001DDA911B000-0x000001DDA911E000-memory.dmp

    Filesize

    12KB

  • memory/4956-155-0x000001DDA911B000-0x000001DDA911E000-memory.dmp

    Filesize

    12KB

  • memory/4956-145-0x000001DDA70A0000-0x000001DDA70C0000-memory.dmp

    Filesize

    128KB

  • memory/4956-147-0x000001DDA7E50000-0x000001DDA7E70000-memory.dmp

    Filesize

    128KB

  • memory/4956-152-0x000001DDA911B000-0x000001DDA911E000-memory.dmp

    Filesize

    12KB

  • memory/4956-153-0x000001DDA911B000-0x000001DDA911E000-memory.dmp

    Filesize

    12KB

  • memory/4956-143-0x000001DDA7140000-0x000001DDA7160000-memory.dmp

    Filesize

    128KB

  • memory/4956-144-0x000001DDA7218000-0x000001DDA7220000-memory.dmp

    Filesize

    32KB

  • memory/4956-160-0x000001DDA9148000-0x000001DDA914C000-memory.dmp

    Filesize

    16KB

  • memory/4956-161-0x000001DDA9148000-0x000001DDA914C000-memory.dmp

    Filesize

    16KB

  • memory/4956-162-0x000001DDA9148000-0x000001DDA914C000-memory.dmp

    Filesize

    16KB

  • memory/4956-163-0x000001DDA9148000-0x000001DDA914C000-memory.dmp

    Filesize

    16KB

  • memory/4956-164-0x000001DDA9148000-0x000001DDA914C000-memory.dmp

    Filesize

    16KB

  • memory/4956-167-0x000001DDA914C000-0x000001DDA914F000-memory.dmp

    Filesize

    12KB

  • memory/4956-168-0x000001DDA914C000-0x000001DDA914F000-memory.dmp

    Filesize

    12KB

  • memory/4956-169-0x000001DDA914C000-0x000001DDA914F000-memory.dmp

    Filesize

    12KB