Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 02:55
Static task
static1
Behavioral task
behavioral1
Sample
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe
Resource
win10v2004-20220812-en
General
-
Target
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe
-
Size
359KB
-
MD5
a5d00f4f2dc2a70f41f9078e954fa3f7
-
SHA1
66c366e18ad670127108367df79398f524de28c3
-
SHA256
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73
-
SHA512
62d0d67923bd1d3ee55377a5c97beae3bc89a22abba1497710261a60514e104c657b4635286c320e6510416ba678a2bd8aa62c97095c3807ed28935bdf6be8ee
-
SSDEEP
6144:WiYJpJ1cY/d6fV7QTBpbbFzYyIHuoEUOckLiVfxbW3y2BNmm8:uJr9l65QTbbb93GuoExHLiVfeNx
Malware Config
Extracted
gozi
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adprlg32 = "C:\\Users\\Admin\\AppData\\Roaming\\BTAGdlet\\aadtorui.exe" d85a9488a8042b3dd5fef96447ad97ce13be651ff44e61ef169983262c3fcf73.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.