Analysis
-
max time kernel
556s -
max time network
542s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27-10-2022 00:07
Static task
static1
Behavioral task
behavioral1
Sample
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
Resource
win10v2004-20220812-en
General
-
Target
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
-
Size
418KB
-
MD5
b8ea5cdd085bea860fb94bef2fecb6d9
-
SHA1
3788cec204c0f2f6fe674fba85895f99f48a1f23
-
SHA256
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5
-
SHA512
45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632
-
SSDEEP
12288:4r7ox3gdRAAzI+L7sCcDIg54qlcepleY:43ox3ghzHsIg2yvU
Malware Config
Extracted
gozi_ifsb
1100
cyajon.at/krp3cmg
hipohook.cn/krp3cmg
rokolero.at/krp3cmg
arexan.at/krp3cmg
voligon.cn/krp3cmg
qwevigoc.at/krp3cmg
comerail.su/krp3cmg
boombom.at/krp3cmg
xiloker.cn/krp3cmg
xorewopa.at/krp3cmg
goinumder.su/krp3cmg
ribomoon.cn/krp3cmg
ambikooly.at/krp3cmg
therepalon.su/krp3cmg
chikoole.cn/krp3cmg
-
build
214837
-
exe_type
worker
-
server_id
110
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1636 drprssec.exe -
Deletes itself 1 IoCs
pid Process 1636 drprssec.exe -
Loads dropped DLL 1 IoCs
pid Process 904 cmd.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\chtbider = "C:\\Users\\Admin\\AppData\\Roaming\\cngpput8\\drprssec.exe" 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1636 set thread context of 1500 1636 drprssec.exe 31 PID 1500 set thread context of 1220 1500 svchost.exe 17 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1636 drprssec.exe 1220 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1636 drprssec.exe 1500 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1220 Explorer.EXE Token: SeShutdownPrivilege 1220 Explorer.EXE -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1720 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe 1636 drprssec.exe 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1720 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe 1636 drprssec.exe 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1720 wrote to memory of 556 1720 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe 27 PID 1720 wrote to memory of 556 1720 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe 27 PID 1720 wrote to memory of 556 1720 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe 27 PID 1720 wrote to memory of 556 1720 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe 27 PID 556 wrote to memory of 904 556 cmd.exe 29 PID 556 wrote to memory of 904 556 cmd.exe 29 PID 556 wrote to memory of 904 556 cmd.exe 29 PID 556 wrote to memory of 904 556 cmd.exe 29 PID 904 wrote to memory of 1636 904 cmd.exe 30 PID 904 wrote to memory of 1636 904 cmd.exe 30 PID 904 wrote to memory of 1636 904 cmd.exe 30 PID 904 wrote to memory of 1636 904 cmd.exe 30 PID 1636 wrote to memory of 1500 1636 drprssec.exe 31 PID 1636 wrote to memory of 1500 1636 drprssec.exe 31 PID 1636 wrote to memory of 1500 1636 drprssec.exe 31 PID 1636 wrote to memory of 1500 1636 drprssec.exe 31 PID 1636 wrote to memory of 1500 1636 drprssec.exe 31 PID 1636 wrote to memory of 1500 1636 drprssec.exe 31 PID 1636 wrote to memory of 1500 1636 drprssec.exe 31 PID 1500 wrote to memory of 1220 1500 svchost.exe 17 PID 1500 wrote to memory of 1220 1500 svchost.exe 17 PID 1500 wrote to memory of 1220 1500 svchost.exe 17 PID 1220 wrote to memory of 1812 1220 Explorer.EXE 34 PID 1220 wrote to memory of 1812 1220 Explorer.EXE 34 PID 1220 wrote to memory of 1812 1220 Explorer.EXE 34 PID 1812 wrote to memory of 1468 1812 cmd.exe 36 PID 1812 wrote to memory of 1468 1812 cmd.exe 36 PID 1812 wrote to memory of 1468 1812 cmd.exe 36 PID 1220 wrote to memory of 932 1220 Explorer.EXE 37 PID 1220 wrote to memory of 932 1220 Explorer.EXE 37 PID 1220 wrote to memory of 932 1220 Explorer.EXE 37
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe"C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe"2⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FF86\FFC3.bat" "C:\Users\Admin\AppData\Roaming\cngpput8\drprssec.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\cngpput8\drprssec.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Roaming\cngpput8\drprssec.exe"C:\Users\Admin\AppData\Roaming\cngpput8\drprssec.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1500
-
-
-
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\C2A7.bi1"2⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:1468
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C2A7.bi1"2⤵PID:932
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118B
MD54f6429322fdfd711b81d8824b25fcd9c
SHA1f7f917b64dd43b620bacd21f134d430d3c406aec
SHA256d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8
SHA512e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816
-
Filesize
118B
MD54f6429322fdfd711b81d8824b25fcd9c
SHA1f7f917b64dd43b620bacd21f134d430d3c406aec
SHA256d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8
SHA512e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816
-
Filesize
108B
MD5de0bb5b277a11c73e96ac12e9385e92d
SHA16709de05f3462aff9f9df00fbd08a186c5dff980
SHA256034770653998707ad9ef3f785facb3b7ca0dd2f6ecebb5f16d4b26b79ee09e26
SHA512568519fb3da910a9ab4cd8fabc552888bfa7d1d41670ef09b5235e246b51c75d56d743de18d0f6d860bed80b6be2787be08687744505c2dcd7b076719fadfe43
-
Filesize
418KB
MD5b8ea5cdd085bea860fb94bef2fecb6d9
SHA13788cec204c0f2f6fe674fba85895f99f48a1f23
SHA2563a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5
SHA51245dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632
-
Filesize
418KB
MD5b8ea5cdd085bea860fb94bef2fecb6d9
SHA13788cec204c0f2f6fe674fba85895f99f48a1f23
SHA2563a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5
SHA51245dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632
-
Filesize
418KB
MD5b8ea5cdd085bea860fb94bef2fecb6d9
SHA13788cec204c0f2f6fe674fba85895f99f48a1f23
SHA2563a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5
SHA51245dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632