Analysis
-
max time kernel
149s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 13:52
Static task
static1
Behavioral task
behavioral1
Sample
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
Resource
win10v2004-20220901-en
General
-
Target
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
-
Size
314KB
-
MD5
e0e2f137d0ef1d11048e17939d8cbde2
-
SHA1
f38131561bb462dece03f2733c5038013ecce24c
-
SHA256
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f
-
SHA512
7d6c4e6e22182d51cd19194e76a9bb31960072b68bc7f986a00cf5bd7a90f06f47017de090074e18f84fbb8c4790ca1fecbff57fdfb9bbe4557ebd4fbb221671
-
SSDEEP
6144:d5LMc6W0CMk2TBqx8p1668QblbUebV5k2FiZRX7Zp7j9:rT6tC72Tsx8p166xFbVCuiZZv7j
Malware Config
Extracted
gozi
Extracted
gozi
1010
sys.naturallymewraps.com/geodata/version/ip2ext
nan.bocalee.com/geodata/version/ip2ext
sys.aronzvi.com/geodata/version/ip2ext
lan.hayloindigo.com/geodata/version/ip2ext
lansystemstat.com/geodata/version/ip2ext
highnetwork.pw/geodata/version/ip2ext
lostnetwork.in/geodata/version/ip2ext
sysconnections.net/geodata/version/ip2ext
lansupports.com/geodata/version/ip2ext
-
build
212578
-
exe_type
worker
-
server_id
30
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 464 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dpmoprov = "C:\\Windows\\system32\\cmstwave.exe" 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe -
Drops file in System32 directory 2 IoCs
Processes:
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exedescription ioc process File opened for modification C:\Windows\system32\cmstwave.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe File created C:\Windows\system32\cmstwave.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29A6.bin" 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exedescription pid process target process PID 2032 set thread context of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2016 set thread context of 676 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exepid process 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exepid process 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe Token: 33 1612 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1612 AUDIODG.EXE Token: 33 1612 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1612 AUDIODG.EXE Token: SeShutdownPrivilege 676 explorer.exe Token: SeShutdownPrivilege 676 explorer.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
Processes:
explorer.exepid process 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe -
Suspicious use of SendNotifyMessage 21 IoCs
Processes:
explorer.exepid process 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe 676 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 676 explorer.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.execmd.exedescription pid process target process PID 2032 wrote to memory of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2032 wrote to memory of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2032 wrote to memory of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2032 wrote to memory of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2032 wrote to memory of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2032 wrote to memory of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2032 wrote to memory of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2032 wrote to memory of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2032 wrote to memory of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2032 wrote to memory of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2032 wrote to memory of 2016 2032 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe PID 2016 wrote to memory of 676 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe explorer.exe PID 2016 wrote to memory of 676 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe explorer.exe PID 2016 wrote to memory of 676 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe explorer.exe PID 2016 wrote to memory of 676 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe explorer.exe PID 2016 wrote to memory of 676 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe explorer.exe PID 2016 wrote to memory of 676 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe explorer.exe PID 2016 wrote to memory of 676 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe explorer.exe PID 2016 wrote to memory of 464 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe cmd.exe PID 2016 wrote to memory of 464 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe cmd.exe PID 2016 wrote to memory of 464 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe cmd.exe PID 2016 wrote to memory of 464 2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe cmd.exe PID 464 wrote to memory of 1520 464 cmd.exe attrib.exe PID 464 wrote to memory of 1520 464 cmd.exe attrib.exe PID 464 wrote to memory of 1520 464 cmd.exe attrib.exe PID 464 wrote to memory of 1520 464 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe"C:\Users\Admin\AppData\Local\Temp\9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe"C:\Users\Admin\AppData\Local\Temp\9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe"2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6872.bat" "C:\Users\Admin\AppData\Local\Temp\9D9F24~1.EXE""3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\9D9F24~1.EXE"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5a41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\29A6.binFilesize
3.5MB
MD5a4e2f065172a7712493a8139333e72f7
SHA189a8e1f6d05d6bd4f4e214cdfecfd4ec27cfd4c0
SHA256c235684e03276a29e64e80b24ea5033eddca906984bc79fb56ccde0e9da1e0be
SHA5123e86b4f5ab50bdafab05f2d1a39f5d4f2a82ede3c9c9921c4e38e7462a4c818d1da213aa370270b6f8022ab42d6379e38cf41bb206f07e6bed710e9f544f624c
-
C:\Users\Admin\AppData\Local\Temp\6872.batFilesize
72B
MD536120446dbe4456d6a92c9d1b4e3f9f9
SHA1b29949d121eb55a11b58c1fa33b4e7fa796681a7
SHA256e343c858c794f0acc7247739aab57f04ff323c5792e5923ccbc1aae52e3f2ad3
SHA5123713f2f958cf3c964f8598751f2a639168e85fca5e75a78a7bf8580a29f2a35e0c626b6ea230a4c476a8cb51120d5113e28606bcdc5090b330cd39c6a3b437c2
-
memory/464-73-0x0000000000000000-mapping.dmp
-
memory/676-68-0x0000000000000000-mapping.dmp
-
memory/676-71-0x00000000001F0000-0x0000000000276000-memory.dmpFilesize
536KB
-
memory/676-69-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmpFilesize
8KB
-
memory/1520-75-0x0000000000000000-mapping.dmp
-
memory/2016-66-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/2016-54-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2016-67-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2016-63-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2016-64-0x000000000040110F-mapping.dmp
-
memory/2016-70-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2016-61-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2016-60-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2016-59-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2016-57-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2016-55-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB