Analysis
-
max time kernel
599s -
max time network
530s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2022 00:07
Static task
static1
Behavioral task
behavioral1
Sample
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
Resource
win10v2004-20220812-en
General
-
Target
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
-
Size
418KB
-
MD5
b8ea5cdd085bea860fb94bef2fecb6d9
-
SHA1
3788cec204c0f2f6fe674fba85895f99f48a1f23
-
SHA256
3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5
-
SHA512
45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632
-
SSDEEP
12288:4r7ox3gdRAAzI+L7sCcDIg54qlcepleY:43ox3ghzHsIg2yvU
Malware Config
Extracted
gozi_ifsb
1100
cyajon.at/krp3cmg
hipohook.cn/krp3cmg
rokolero.at/krp3cmg
arexan.at/krp3cmg
voligon.cn/krp3cmg
qwevigoc.at/krp3cmg
comerail.su/krp3cmg
boombom.at/krp3cmg
xiloker.cn/krp3cmg
xorewopa.at/krp3cmg
goinumder.su/krp3cmg
ribomoon.cn/krp3cmg
ambikooly.at/krp3cmg
therepalon.su/krp3cmg
chikoole.cn/krp3cmg
-
build
214837
-
exe_type
worker
-
server_id
110
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3440 audiApis.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atl1uthz = "C:\\Users\\Admin\\AppData\\Roaming\\clfsgacy\\audiApis.exe" 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 3440 set thread context of 3624 3440 audiApis.exe 89 PID 3624 set thread context of 2984 3624 svchost.exe 39 PID 2984 set thread context of 3424 2984 Explorer.EXE 15 PID 2984 set thread context of 3692 2984 Explorer.EXE 34 PID 2984 set thread context of 4596 2984 Explorer.EXE 31 PID 2984 set thread context of 544 2984 Explorer.EXE 80 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3440 audiApis.exe 3440 audiApis.exe 2984 Explorer.EXE 2984 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2984 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 3440 audiApis.exe 3624 svchost.exe 2984 Explorer.EXE 2984 Explorer.EXE 2984 Explorer.EXE 2984 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 3424 RuntimeBroker.exe Token: SeShutdownPrivilege 3424 RuntimeBroker.exe Token: SeShutdownPrivilege 3424 RuntimeBroker.exe Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3420 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe 3440 audiApis.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3420 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe 3440 audiApis.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2984 Explorer.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 3420 wrote to memory of 2704 3420 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe 83 PID 3420 wrote to memory of 2704 3420 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe 83 PID 3420 wrote to memory of 2704 3420 3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe 83 PID 2704 wrote to memory of 3412 2704 cmd.exe 86 PID 2704 wrote to memory of 3412 2704 cmd.exe 86 PID 2704 wrote to memory of 3412 2704 cmd.exe 86 PID 3412 wrote to memory of 3440 3412 cmd.exe 87 PID 3412 wrote to memory of 3440 3412 cmd.exe 87 PID 3412 wrote to memory of 3440 3412 cmd.exe 87 PID 3440 wrote to memory of 3624 3440 audiApis.exe 89 PID 3440 wrote to memory of 3624 3440 audiApis.exe 89 PID 3440 wrote to memory of 3624 3440 audiApis.exe 89 PID 3440 wrote to memory of 3624 3440 audiApis.exe 89 PID 3440 wrote to memory of 3624 3440 audiApis.exe 89 PID 3624 wrote to memory of 2984 3624 svchost.exe 39 PID 3624 wrote to memory of 2984 3624 svchost.exe 39 PID 3624 wrote to memory of 2984 3624 svchost.exe 39 PID 2984 wrote to memory of 3424 2984 Explorer.EXE 15 PID 2984 wrote to memory of 3424 2984 Explorer.EXE 15 PID 2984 wrote to memory of 3424 2984 Explorer.EXE 15 PID 2984 wrote to memory of 3692 2984 Explorer.EXE 34 PID 2984 wrote to memory of 3692 2984 Explorer.EXE 34 PID 2984 wrote to memory of 3692 2984 Explorer.EXE 34 PID 2984 wrote to memory of 4596 2984 Explorer.EXE 31 PID 2984 wrote to memory of 4596 2984 Explorer.EXE 31 PID 2984 wrote to memory of 4596 2984 Explorer.EXE 31 PID 2984 wrote to memory of 544 2984 Explorer.EXE 80 PID 2984 wrote to memory of 544 2984 Explorer.EXE 80 PID 2984 wrote to memory of 544 2984 Explorer.EXE 80 PID 2984 wrote to memory of 1704 2984 Explorer.EXE 94 PID 2984 wrote to memory of 1704 2984 Explorer.EXE 94 PID 1704 wrote to memory of 2096 1704 cmd.exe 96 PID 1704 wrote to memory of 2096 1704 cmd.exe 96 PID 2984 wrote to memory of 444 2984 Explorer.EXE 97 PID 2984 wrote to memory of 444 2984 Explorer.EXE 97
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4596
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3692
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe"C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EBA2\75D1.bat" "C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE""4⤵
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe"C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3624
-
-
-
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\2FC6.bi1"2⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:2096
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2FC6.bi1"2⤵PID:444
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
118B
MD5ace7e9f29953c4fbd6a930b50f792079
SHA197511e3438221ac9c30944fca7b91e87978c1248
SHA25658b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8
SHA5125dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106
-
Filesize
118B
MD5ace7e9f29953c4fbd6a930b50f792079
SHA197511e3438221ac9c30944fca7b91e87978c1248
SHA25658b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8
SHA5125dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106
-
Filesize
112B
MD55fc401d2a575bc2f2091c704f3dc12c6
SHA1f42d307e59ef42fdfdeef5752fcea5290e320d42
SHA2564fea69b6a9839d8ef7adbbded58f5dbaef7de63c9bcb1181981e1636dbbceb8f
SHA51239964b8c02f9c39f48db87a66d7fde63db21aa4a19aa271aad525a18f4e9408b80e6a08e7a98748352a31f98cd2b8f4b8bba9fe1a3173e69e7e72d5e30c09615
-
Filesize
418KB
MD5b8ea5cdd085bea860fb94bef2fecb6d9
SHA13788cec204c0f2f6fe674fba85895f99f48a1f23
SHA2563a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5
SHA51245dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632
-
Filesize
418KB
MD5b8ea5cdd085bea860fb94bef2fecb6d9
SHA13788cec204c0f2f6fe674fba85895f99f48a1f23
SHA2563a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5
SHA51245dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632