Analysis
-
max time kernel
170s -
max time network
225s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 15:47
Static task
static1
Behavioral task
behavioral1
Sample
e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe
Resource
win7-20221111-en
General
-
Target
e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe
-
Size
251KB
-
MD5
5a2464dd8d358eae6a7c4e3f34e2c397
-
SHA1
05bba1190ef667f51057f90b957ee1563bf1c0ee
-
SHA256
e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a
-
SHA512
93b528c9467413de1be7c798258aae93b1880ca2c2ea39d05594017b97e383edac7ff069a2f13d6b447658758a9c26632578e07a3289a5af68a06ec96168dc6e
-
SSDEEP
6144:4m6TcxBf15vI3hGYFaOH7j7eF3uREWRKRU1z:44xpQwYFa0H7exiNR1z
Malware Config
Extracted
gozi
Extracted
gozi
1000
178.33.145.49/adwordsdata/dropbox/xxx
-
exe_type
worker
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1900 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmstLSys = "C:\\Windows\\system32\\crtdript.exe" e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe -
Drops file in System32 directory 2 IoCs
Processes:
e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exedescription ioc process File created C:\Windows\system32\crtdript.exe e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe File opened for modification C:\Windows\system32\crtdript.exe e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exedescription pid process target process PID 1496 set thread context of 268 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exepid process 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 268 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exepid process 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 268 explorer.exe Token: SeShutdownPrivilege 268 explorer.exe Token: SeShutdownPrivilege 268 explorer.exe Token: SeShutdownPrivilege 268 explorer.exe Token: SeShutdownPrivilege 268 explorer.exe Token: SeShutdownPrivilege 268 explorer.exe Token: SeShutdownPrivilege 268 explorer.exe Token: SeShutdownPrivilege 268 explorer.exe Token: SeShutdownPrivilege 268 explorer.exe Token: SeShutdownPrivilege 268 explorer.exe Token: 33 1948 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1948 AUDIODG.EXE Token: 33 1948 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1948 AUDIODG.EXE Token: SeShutdownPrivilege 268 explorer.exe Token: SeShutdownPrivilege 268 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe 268 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 268 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.execmd.exedescription pid process target process PID 1496 wrote to memory of 268 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe explorer.exe PID 1496 wrote to memory of 268 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe explorer.exe PID 1496 wrote to memory of 268 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe explorer.exe PID 1496 wrote to memory of 268 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe explorer.exe PID 1496 wrote to memory of 268 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe explorer.exe PID 1496 wrote to memory of 268 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe explorer.exe PID 1496 wrote to memory of 268 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe explorer.exe PID 1496 wrote to memory of 1900 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe cmd.exe PID 1496 wrote to memory of 1900 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe cmd.exe PID 1496 wrote to memory of 1900 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe cmd.exe PID 1496 wrote to memory of 1900 1496 e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe cmd.exe PID 1900 wrote to memory of 1112 1900 cmd.exe attrib.exe PID 1900 wrote to memory of 1112 1900 cmd.exe attrib.exe PID 1900 wrote to memory of 1112 1900 cmd.exe attrib.exe PID 1900 wrote to memory of 1112 1900 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe"C:\Users\Admin\AppData\Local\Temp\e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7259069.bat" "C:\Users\Admin\AppData\Local\Temp\e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\e351ae6323af450d16c9627ef112df268635fe9a16d20fd7e14c9e9e36ed0a3a.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5901⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7259069.batFilesize
72B
MD52c2493054901b32b0b03c5ea36b597ed
SHA169e949d5bbf7717201a68121ace99b00f87c61a8
SHA25661fc412b8374cee11b383fd6e045c7b958d09c82fc9f717663002145ffb9dc45
SHA5123bdf9b76137e316cf59f37f7b6643a1d0051c05b0eb226b21ddbdf3612265adb1ca418044b4950a35f6a104c181dec04bc2cadecd041f12779e30dc7bf3dd9ab
-
memory/268-57-0x0000000000000000-mapping.dmp
-
memory/268-59-0x00000000001E0000-0x0000000000249000-memory.dmpFilesize
420KB
-
memory/268-61-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmpFilesize
8KB
-
memory/268-65-0x00000000001E0000-0x0000000000249000-memory.dmpFilesize
420KB
-
memory/1112-64-0x0000000000000000-mapping.dmp
-
memory/1496-54-0x0000000000220000-0x0000000000223000-memory.dmpFilesize
12KB
-
memory/1496-55-0x0000000076391000-0x0000000076393000-memory.dmpFilesize
8KB
-
memory/1496-56-0x0000000000400000-0x0000000000BC5000-memory.dmpFilesize
7.8MB
-
memory/1496-58-0x0000000000220000-0x0000000000223000-memory.dmpFilesize
12KB
-
memory/1496-60-0x0000000000400000-0x0000000000BC5000-memory.dmpFilesize
7.8MB
-
memory/1900-62-0x0000000000000000-mapping.dmp