Analysis
-
max time kernel
600s -
max time network
511s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2022 00:07
Static task
static1
Behavioral task
behavioral1
Sample
42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe
Resource
win10v2004-20220812-en
General
-
Target
42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe
-
Size
437KB
-
MD5
b5f35ddf66046061fe55935b2bb210c8
-
SHA1
1b0cc49bdbc8959938088747c048fc98b8386bad
-
SHA256
42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676
-
SHA512
a7da8abe2f84df3a6317e92abb1b78319a84033853b76bfd4ad2018f1cd59cfcb36f9f2e8d76646b8550b2ef2ec863ae5c775252f48d5b3bf05948903c59c265
-
SSDEEP
6144:nuU4My6j817/7TodFsGN858k31BSZW5lV3QfZ0SHKDGiRX8AeZ+oDsCgu77+YESv:nuuyt7jTodFzjUD5AfZ0cUGW8V6QcAHd
Malware Config
Extracted
gozi_ifsb
1001
-
build
215840
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
exe_type
worker
-
server_id
93
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4996 Appxplua.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\altsangs = "C:\\Users\\Admin\\AppData\\Roaming\\baseeMas\\Appxplua.exe" 42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 4996 set thread context of 2676 4996 Appxplua.exe 92 PID 2676 set thread context of 2220 2676 svchost.exe 40 PID 2220 set thread context of 3420 2220 Explorer.EXE 15 PID 2220 set thread context of 3712 2220 Explorer.EXE 35 PID 2220 set thread context of 4708 2220 Explorer.EXE 32 PID 2220 set thread context of 5064 2220 Explorer.EXE 80 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4996 Appxplua.exe 4996 Appxplua.exe 2220 Explorer.EXE 2220 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 4996 Appxplua.exe 2676 svchost.exe 2220 Explorer.EXE 2220 Explorer.EXE 2220 Explorer.EXE 2220 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 2220 Explorer.EXE Token: SeCreatePagefilePrivilege 2220 Explorer.EXE Token: SeShutdownPrivilege 2220 Explorer.EXE Token: SeCreatePagefilePrivilege 2220 Explorer.EXE Token: SeShutdownPrivilege 2220 Explorer.EXE Token: SeCreatePagefilePrivilege 2220 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2220 Explorer.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3348 wrote to memory of 3740 3348 42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe 88 PID 3348 wrote to memory of 3740 3348 42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe 88 PID 3348 wrote to memory of 3740 3348 42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe 88 PID 3740 wrote to memory of 3640 3740 cmd.exe 90 PID 3740 wrote to memory of 3640 3740 cmd.exe 90 PID 3740 wrote to memory of 3640 3740 cmd.exe 90 PID 3640 wrote to memory of 4996 3640 cmd.exe 91 PID 3640 wrote to memory of 4996 3640 cmd.exe 91 PID 3640 wrote to memory of 4996 3640 cmd.exe 91 PID 4996 wrote to memory of 2676 4996 Appxplua.exe 92 PID 4996 wrote to memory of 2676 4996 Appxplua.exe 92 PID 4996 wrote to memory of 2676 4996 Appxplua.exe 92 PID 4996 wrote to memory of 2676 4996 Appxplua.exe 92 PID 4996 wrote to memory of 2676 4996 Appxplua.exe 92 PID 2676 wrote to memory of 2220 2676 svchost.exe 40 PID 2676 wrote to memory of 2220 2676 svchost.exe 40 PID 2676 wrote to memory of 2220 2676 svchost.exe 40 PID 2220 wrote to memory of 3420 2220 Explorer.EXE 15 PID 2220 wrote to memory of 3420 2220 Explorer.EXE 15 PID 2220 wrote to memory of 3420 2220 Explorer.EXE 15 PID 2220 wrote to memory of 3712 2220 Explorer.EXE 35 PID 2220 wrote to memory of 3712 2220 Explorer.EXE 35 PID 2220 wrote to memory of 3712 2220 Explorer.EXE 35 PID 2220 wrote to memory of 4708 2220 Explorer.EXE 32 PID 2220 wrote to memory of 4708 2220 Explorer.EXE 32 PID 2220 wrote to memory of 4708 2220 Explorer.EXE 32 PID 2220 wrote to memory of 5064 2220 Explorer.EXE 80 PID 2220 wrote to memory of 5064 2220 Explorer.EXE 80 PID 2220 wrote to memory of 5064 2220 Explorer.EXE 80
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3420
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4708
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3712
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe"C:\Users\Admin\AppData\Local\Temp\42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3D2C\9E96.bat" "C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\429236~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\429236~1.EXE""4⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe"C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\429236~1.EXE"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2676
-
-
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112B
MD5cd0da4581114d8a20394c3118e76219e
SHA159c42dedccb955507aaf07ceac492b428e708298
SHA2569f4a52b0ffa2ad75689899e4e8b7d12edbed27882d920ad7bb85f4a7fc5f50d6
SHA5129e6e8641115cf3cdacf8ce4e836eec4c1330861683c9827ab3705fafc5b0b1dd90f445858221fc736479354de070bc0a3a360cbd44ad2b34f8946824af68d308
-
Filesize
437KB
MD5b5f35ddf66046061fe55935b2bb210c8
SHA11b0cc49bdbc8959938088747c048fc98b8386bad
SHA25642923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676
SHA512a7da8abe2f84df3a6317e92abb1b78319a84033853b76bfd4ad2018f1cd59cfcb36f9f2e8d76646b8550b2ef2ec863ae5c775252f48d5b3bf05948903c59c265
-
Filesize
437KB
MD5b5f35ddf66046061fe55935b2bb210c8
SHA11b0cc49bdbc8959938088747c048fc98b8386bad
SHA25642923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676
SHA512a7da8abe2f84df3a6317e92abb1b78319a84033853b76bfd4ad2018f1cd59cfcb36f9f2e8d76646b8550b2ef2ec863ae5c775252f48d5b3bf05948903c59c265