Analysis
-
max time kernel
154s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 02:55
Static task
static1
Behavioral task
behavioral1
Sample
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe
Resource
win10v2004-20220812-en
General
-
Target
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe
-
Size
359KB
-
MD5
a5d00f4f2dc2a70f41f9078e954fa3f7
-
SHA1
66c366e18ad670127108367df79398f524de28c3
-
SHA256
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73
-
SHA512
62d0d67923bd1d3ee55377a5c97beae3bc89a22abba1497710261a60514e104c657b4635286c320e6510416ba678a2bd8aa62c97095c3807ed28935bdf6be8ee
-
SSDEEP
6144:WiYJpJ1cY/d6fV7QTBpbbFzYyIHuoEUOckLiVfxbW3y2BNmm8:uJr9l65QTbbb93GuoExHLiVfeNx
Malware Config
Extracted
gozi
Extracted
gozi
1010
lan.hayloindigo.com/geodata/version/ip2ext
sys.jacentacobb.com/geodata/version/ip2ext
bot.wakeandbakealldaylong.com/geodata/version/ip2ext
adm.cutmedic.com/geodata/version/ip2ext
lansystemstat.com/geodata/version/ip2ext
highnetwork.pw/geodata/version/ip2ext
lostnetwork.in/geodata/version/ip2ext
sysconnections.net/geodata/version/ip2ext
lansupports.com/geodata/version/ip2ext
-
exe_type
worker
-
server_id
30
Signatures
-
Processes:
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe = "0" d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe -
Executes dropped EXE 1 IoCs
Processes:
bitsprx3.exepid process 604 bitsprx3.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 844 cmd.exe 844 cmd.exe -
Processes:
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe = "0" d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\C_ISroxy = "C:\\Users\\Admin\\AppData\\Roaming\\authyApi\\bitsprx3.exe" d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exedescription pid process Token: SeTakeOwnershipPrivilege 1992 d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exebitsprx3.exepid process 1992 d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe 604 bitsprx3.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.execmd.execmd.exedescription pid process target process PID 1992 wrote to memory of 1516 1992 d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe cmd.exe PID 1992 wrote to memory of 1516 1992 d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe cmd.exe PID 1992 wrote to memory of 1516 1992 d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe cmd.exe PID 1992 wrote to memory of 1516 1992 d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe cmd.exe PID 1516 wrote to memory of 844 1516 cmd.exe cmd.exe PID 1516 wrote to memory of 844 1516 cmd.exe cmd.exe PID 1516 wrote to memory of 844 1516 cmd.exe cmd.exe PID 1516 wrote to memory of 844 1516 cmd.exe cmd.exe PID 844 wrote to memory of 604 844 cmd.exe bitsprx3.exe PID 844 wrote to memory of 604 844 cmd.exe bitsprx3.exe PID 844 wrote to memory of 604 844 cmd.exe bitsprx3.exe PID 844 wrote to memory of 604 844 cmd.exe bitsprx3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe"C:\Users\Admin\AppData\Local\Temp\d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe"1⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9AD7\5417.bat" "C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe" "C:\Users\Admin\AppData\Local\Temp\D85A94~1.EXE""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe" "C:\Users\Admin\AppData\Local\Temp\D85A94~1.EXE""3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe"C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exe" "C:\Users\Admin\AppData\Local\Temp\D85A94~1.EXE"4⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9AD7\5417.batFilesize
108B
MD5eebd0461c3f577d675fdbc22dfa50b5f
SHA15b1846cdc6d1d158db07987a95dd82d2c6e3e294
SHA2564edb2686c037a315a97e5e3c2451e84cc06874f8ce772c9e8073a5c732da4bea
SHA512c926aaf4f7b2167a935036ea04597a85a3a3c68d13a20cb383464a8d90b47515f1ba47eb6285f3e063cc221b908730877caf4225c6facb91b429436fb79cf90c
-
C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exeFilesize
359KB
MD5a5d00f4f2dc2a70f41f9078e954fa3f7
SHA166c366e18ad670127108367df79398f524de28c3
SHA256d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73
SHA51262d0d67923bd1d3ee55377a5c97beae3bc89a22abba1497710261a60514e104c657b4635286c320e6510416ba678a2bd8aa62c97095c3807ed28935bdf6be8ee
-
C:\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exeFilesize
359KB
MD5a5d00f4f2dc2a70f41f9078e954fa3f7
SHA166c366e18ad670127108367df79398f524de28c3
SHA256d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73
SHA51262d0d67923bd1d3ee55377a5c97beae3bc89a22abba1497710261a60514e104c657b4635286c320e6510416ba678a2bd8aa62c97095c3807ed28935bdf6be8ee
-
\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exeFilesize
359KB
MD5a5d00f4f2dc2a70f41f9078e954fa3f7
SHA166c366e18ad670127108367df79398f524de28c3
SHA256d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73
SHA51262d0d67923bd1d3ee55377a5c97beae3bc89a22abba1497710261a60514e104c657b4635286c320e6510416ba678a2bd8aa62c97095c3807ed28935bdf6be8ee
-
\Users\Admin\AppData\Roaming\authyApi\bitsprx3.exeFilesize
359KB
MD5a5d00f4f2dc2a70f41f9078e954fa3f7
SHA166c366e18ad670127108367df79398f524de28c3
SHA256d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73
SHA51262d0d67923bd1d3ee55377a5c97beae3bc89a22abba1497710261a60514e104c657b4635286c320e6510416ba678a2bd8aa62c97095c3807ed28935bdf6be8ee
-
memory/604-67-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/604-64-0x0000000000000000-mapping.dmp
-
memory/844-60-0x0000000000000000-mapping.dmp
-
memory/1516-57-0x0000000000000000-mapping.dmp
-
memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/1992-58-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1992-56-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1992-55-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB