Analysis
-
max time kernel
159s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 23:06
Static task
static1
Behavioral task
behavioral1
Sample
fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe
Resource
win10v2004-20221111-en
General
-
Target
fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe
-
Size
348KB
-
MD5
40cd2fec7ef2cada01d56afbae18015b
-
SHA1
512de247dbceb55babbf55e9d0945810f389674d
-
SHA256
fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9
-
SHA512
9af87fcd4a625ba6d86dd3211b5bcfaab6eef3d5e013e0be179ed1021dffcfe9cf2720127a8466e1d1f7391c227397f31fc5cbb9369443fe1c8f7168d7b623fc
-
SSDEEP
6144:N4e0DLTDAOtoPvUHxXhDOOq/GS86H8jZ3alw5ZuMdRdEx7RzrgM:ueOL/36vwXIOq/GVdGw5QMNk71z
Malware Config
Extracted
gozi
Extracted
gozi
1012
lolila.net
vndjtu968488.ru
moriyurw368798.ru
-
build
213459
-
exe_type
worker
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2000 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\apdsager = "C:\\Windows\\system32\\cmicmf32.exe" fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe -
Drops file in System32 directory 2 IoCs
Processes:
fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exedescription ioc process File created C:\Windows\system32\cmicmf32.exe fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe File opened for modification C:\Windows\system32\cmicmf32.exe fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\A941.tmp" fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exedescription pid process target process PID 1076 set thread context of 1952 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exepid process 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1952 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exepid process 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1952 explorer.exe Token: SeShutdownPrivilege 1952 explorer.exe Token: SeShutdownPrivilege 1952 explorer.exe Token: SeShutdownPrivilege 1952 explorer.exe Token: SeShutdownPrivilege 1952 explorer.exe Token: SeShutdownPrivilege 1952 explorer.exe Token: SeShutdownPrivilege 1952 explorer.exe Token: SeShutdownPrivilege 1952 explorer.exe Token: SeShutdownPrivilege 1952 explorer.exe Token: SeShutdownPrivilege 1952 explorer.exe Token: 33 1336 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1336 AUDIODG.EXE Token: 33 1336 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1336 AUDIODG.EXE Token: SeShutdownPrivilege 1952 explorer.exe Token: SeShutdownPrivilege 1952 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
Processes:
explorer.exepid process 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
Processes:
explorer.exepid process 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe 1952 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 1952 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.execmd.exedescription pid process target process PID 1076 wrote to memory of 1952 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe explorer.exe PID 1076 wrote to memory of 1952 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe explorer.exe PID 1076 wrote to memory of 1952 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe explorer.exe PID 1076 wrote to memory of 1952 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe explorer.exe PID 1076 wrote to memory of 1952 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe explorer.exe PID 1076 wrote to memory of 1952 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe explorer.exe PID 1076 wrote to memory of 1952 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe explorer.exe PID 1076 wrote to memory of 2000 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe cmd.exe PID 1076 wrote to memory of 2000 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe cmd.exe PID 1076 wrote to memory of 2000 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe cmd.exe PID 1076 wrote to memory of 2000 1076 fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe cmd.exe PID 2000 wrote to memory of 1092 2000 cmd.exe attrib.exe PID 2000 wrote to memory of 1092 2000 cmd.exe attrib.exe PID 2000 wrote to memory of 1092 2000 cmd.exe attrib.exe PID 2000 wrote to memory of 1092 2000 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe"C:\Users\Admin\AppData\Local\Temp\fc7ba1d4f3c922bb95e1c80c65c3a4de6564f19379e28b287808e4f4c5ea36f9.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\13FC.bat" "C:\Users\Admin\AppData\Local\Temp\FC7BA1~1.EXE""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\FC7BA1~1.EXE"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5a01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\13FC.batFilesize
72B
MD5242e1e0d315f2167417cc90e884fa103
SHA1d7de966b2699db87752f499e38e487aa1cc3d973
SHA256ae202763640cda6e8aef18dceeb8e1c09fc8dbb8a623f7a2fe976e41f6d8bfde
SHA512d16c2ed896ab5f110faf6112527ed3d577de168c1ad6bfa69b190fadf708859dba137775991ec60e52cc68af85a0490f9c0f5bd27c2a9cde2f62af8b5e54d36f
-
C:\Users\Admin\AppData\Local\Temp\A941.tmpFilesize
3.5MB
MD51fa69f624f25402fb09d76cbb8772177
SHA1658e9405947bc127af665bbb465d147e9397140e
SHA256bb2684d401551006b3f1ddd864c574ddbaab0b7643ff883a4cf085b812f64d22
SHA512490cf7c076a0089b203fb9ccb305a133f59cf7932c5c47cfb2751c4d65aecbe5017881a95f5184111650b7829628466fcd10c781d68f5ebd83a9e971df0bfc00
-
memory/1076-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmpFilesize
8KB
-
memory/1076-55-0x0000000000240000-0x0000000000279000-memory.dmpFilesize
228KB
-
memory/1076-56-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1076-61-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1092-64-0x0000000000000000-mapping.dmp
-
memory/1952-57-0x0000000000000000-mapping.dmp
-
memory/1952-58-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmpFilesize
8KB
-
memory/1952-59-0x00000000002D0000-0x0000000000338000-memory.dmpFilesize
416KB
-
memory/1952-65-0x0000000002D20000-0x0000000002D30000-memory.dmpFilesize
64KB
-
memory/2000-62-0x0000000000000000-mapping.dmp