Analysis
-
max time kernel
599s -
max time network
503s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2022 00:07
Static task
static1
Behavioral task
behavioral1
Sample
3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff.exe
Resource
win10v2004-20220901-en
General
-
Target
3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff.exe
-
Size
503KB
-
MD5
60238ebad1c44bf159c2eba25f3c4ca6
-
SHA1
8ee071c4e55bbc7ac2fcfa1779307b2e19f1e9d0
-
SHA256
3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff
-
SHA512
f209749ed5d7e6a189fcd4efc31b4eb2a462d6d7654b23101d0e2aad73a6d812cdf5a38840eb2a0309061b066d4a853f1e649f6ba35db0dac09e42d650302945
-
SSDEEP
12288:mqE2NJWh/VScyFi9VJqgqrSyXNTTkiYfwtfYNh:k00dUi9SgLwdYfwt
Malware Config
Extracted
gozi_ifsb
3000
romaya.ru
matashka.ru
matashka399.ru
-
build
200000
-
exe_type
worker
-
server_id
12
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 544 Authbk32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bitssvcs = "C:\\Users\\Admin\\AppData\\Roaming\\AppVider\\Authbk32.exe" 3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 544 set thread context of 1156 544 Authbk32.exe 95 PID 1156 set thread context of 2056 1156 svchost.exe 47 PID 2056 set thread context of 3436 2056 Explorer.EXE 21 PID 2056 set thread context of 3636 2056 Explorer.EXE 44 PID 2056 set thread context of 4696 2056 Explorer.EXE 24 PID 2056 set thread context of 4816 2056 Explorer.EXE 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 544 Authbk32.exe 544 Authbk32.exe 2056 Explorer.EXE 2056 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 544 Authbk32.exe 1156 svchost.exe 2056 Explorer.EXE 2056 Explorer.EXE 2056 Explorer.EXE 2056 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2056 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2056 Explorer.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4896 wrote to memory of 4628 4896 3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff.exe 90 PID 4896 wrote to memory of 4628 4896 3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff.exe 90 PID 4896 wrote to memory of 4628 4896 3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff.exe 90 PID 4628 wrote to memory of 2996 4628 cmd.exe 92 PID 4628 wrote to memory of 2996 4628 cmd.exe 92 PID 4628 wrote to memory of 2996 4628 cmd.exe 92 PID 4628 wrote to memory of 3236 4628 cmd.exe 93 PID 4628 wrote to memory of 3236 4628 cmd.exe 93 PID 4628 wrote to memory of 3236 4628 cmd.exe 93 PID 3236 wrote to memory of 544 3236 cmd.exe 94 PID 3236 wrote to memory of 544 3236 cmd.exe 94 PID 3236 wrote to memory of 544 3236 cmd.exe 94 PID 544 wrote to memory of 1156 544 Authbk32.exe 95 PID 544 wrote to memory of 1156 544 Authbk32.exe 95 PID 544 wrote to memory of 1156 544 Authbk32.exe 95 PID 544 wrote to memory of 1156 544 Authbk32.exe 95 PID 544 wrote to memory of 1156 544 Authbk32.exe 95 PID 1156 wrote to memory of 2056 1156 svchost.exe 47 PID 1156 wrote to memory of 2056 1156 svchost.exe 47 PID 1156 wrote to memory of 2056 1156 svchost.exe 47 PID 2056 wrote to memory of 3436 2056 Explorer.EXE 21 PID 2056 wrote to memory of 3436 2056 Explorer.EXE 21 PID 2056 wrote to memory of 3436 2056 Explorer.EXE 21 PID 2056 wrote to memory of 3636 2056 Explorer.EXE 44 PID 2056 wrote to memory of 3636 2056 Explorer.EXE 44 PID 2056 wrote to memory of 3636 2056 Explorer.EXE 44 PID 2056 wrote to memory of 4696 2056 Explorer.EXE 24 PID 2056 wrote to memory of 4696 2056 Explorer.EXE 24 PID 2056 wrote to memory of 4696 2056 Explorer.EXE 24 PID 2056 wrote to memory of 4816 2056 Explorer.EXE 82 PID 2056 wrote to memory of 4816 2056 Explorer.EXE 82 PID 2056 wrote to memory of 4816 2056 Explorer.EXE 82
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3436
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4696
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3636
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff.exe"C:\Users\Admin\AppData\Local\Temp\3953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D9F8\95F6.bat" "C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe" "C:\Users\Admin\AppData\Local\Temp\3953FA~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe" "C:\Users\Admin\AppData\Local\Temp\3953FA~1.EXE""4⤵PID:2996
-
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe" "C:\Users\Admin\AppData\Local\Temp\3953FA~1.EXE""4⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe"C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe" "C:\Users\Admin\AppData\Local\Temp\3953FA~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1156
-
-
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4816
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:4800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112B
MD54da5d7446a217b7bd397963c2a80b3c3
SHA11cdb9ae3211a9a92b213f6428439a472d837343f
SHA256cb9f070380165a0a1e4aebd079acca6bb60c073aee55aab18aa71e9f262af449
SHA51256c56a7d4c23e49c365a30526607a8b57feb68de1b64d97d27e7a1c494cae864c91d04b1bbaab80c2da453e9a771e4112a73bf198e4a8ce38205c355921ca473
-
Filesize
503KB
MD560238ebad1c44bf159c2eba25f3c4ca6
SHA18ee071c4e55bbc7ac2fcfa1779307b2e19f1e9d0
SHA2563953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff
SHA512f209749ed5d7e6a189fcd4efc31b4eb2a462d6d7654b23101d0e2aad73a6d812cdf5a38840eb2a0309061b066d4a853f1e649f6ba35db0dac09e42d650302945
-
Filesize
503KB
MD560238ebad1c44bf159c2eba25f3c4ca6
SHA18ee071c4e55bbc7ac2fcfa1779307b2e19f1e9d0
SHA2563953faf955eede8c2220a501a0bc58be7fe58898ecb66a44d4373d2259dc69ff
SHA512f209749ed5d7e6a189fcd4efc31b4eb2a462d6d7654b23101d0e2aad73a6d812cdf5a38840eb2a0309061b066d4a853f1e649f6ba35db0dac09e42d650302945