Analysis
-
max time kernel
164s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 23:28
Static task
static1
Behavioral task
behavioral1
Sample
bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe
Resource
win10v2004-20221111-en
General
-
Target
bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe
-
Size
328KB
-
MD5
9362eacaddec77615f128fb7a27c28f7
-
SHA1
3f406c83d76cda76e30615cc148f4c53e5a2b4cb
-
SHA256
bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4
-
SHA512
72029194b8fd428057e981ace0645f9f5bdf360a6ee52df71601a28aaa093b86226b6e118209f177d2ebac939bd20977660afaca2634c07c155f751cd834e22b
-
SSDEEP
6144:BL2gpLRGTHy3D9Kq0q5q2QcZt6p1jCTJHhK8fOk:/AHyhKJP/1mTJ481
Malware Config
Extracted
gozi
Extracted
gozi
1012
lolila.net
vndjtu968488.ru
moriyurw368798.ru
-
build
213425
-
exe_type
worker
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1416 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhcpprop = "C:\\Windows\\system32\\Audiwcfg.exe" bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe -
Drops file in System32 directory 2 IoCs
Processes:
bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exedescription ioc process File created C:\Windows\system32\Audiwcfg.exe bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe File opened for modification C:\Windows\system32\Audiwcfg.exe bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8CEA.tmp" bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exedescription pid process target process PID 1912 set thread context of 240 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exepid process 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 240 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exepid process 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 240 explorer.exe Token: SeShutdownPrivilege 240 explorer.exe Token: SeShutdownPrivilege 240 explorer.exe Token: SeShutdownPrivilege 240 explorer.exe Token: SeShutdownPrivilege 240 explorer.exe Token: SeShutdownPrivilege 240 explorer.exe Token: SeShutdownPrivilege 240 explorer.exe Token: SeShutdownPrivilege 240 explorer.exe Token: SeShutdownPrivilege 240 explorer.exe Token: SeShutdownPrivilege 240 explorer.exe Token: 33 1884 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1884 AUDIODG.EXE Token: 33 1884 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1884 AUDIODG.EXE Token: SeShutdownPrivilege 240 explorer.exe Token: SeShutdownPrivilege 240 explorer.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
explorer.exepid process 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
Processes:
explorer.exepid process 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe 240 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 240 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.execmd.exedescription pid process target process PID 1912 wrote to memory of 240 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe explorer.exe PID 1912 wrote to memory of 240 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe explorer.exe PID 1912 wrote to memory of 240 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe explorer.exe PID 1912 wrote to memory of 240 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe explorer.exe PID 1912 wrote to memory of 240 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe explorer.exe PID 1912 wrote to memory of 240 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe explorer.exe PID 1912 wrote to memory of 240 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe explorer.exe PID 1912 wrote to memory of 1416 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe cmd.exe PID 1912 wrote to memory of 1416 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe cmd.exe PID 1912 wrote to memory of 1416 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe cmd.exe PID 1912 wrote to memory of 1416 1912 bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe cmd.exe PID 1416 wrote to memory of 932 1416 cmd.exe attrib.exe PID 1416 wrote to memory of 932 1416 cmd.exe attrib.exe PID 1416 wrote to memory of 932 1416 cmd.exe attrib.exe PID 1416 wrote to memory of 932 1416 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe"C:\Users\Admin\AppData\Local\Temp\bf77a675ea62c179e0ea28567bef6b010a604144acbcccaadfccb28dd7ba95b4.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CC71.bat" "C:\Users\Admin\AppData\Local\Temp\BF77A6~1.EXE""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\BF77A6~1.EXE"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5781⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8CEA.tmpFilesize
3.5MB
MD587fcea1a5a0eaace936d98069a699a03
SHA1e4d57c552d5660d707c514eb844d3a1cd97a8946
SHA256e84940f75209d30f5f2f16472b2748c537cde3331aa97aa2385c3966869734b6
SHA512b8ae517a2d9e5632ccdcff08d5e721b120346f3f298113390bc582aafc3a12d703010b316890d690d542f8cf54383d68fed28b38b4efa8b325d5f7d00e6548a1
-
C:\Users\Admin\AppData\Local\Temp\CC71.batFilesize
72B
MD57eaaf15b9b0900b72a136036727c1754
SHA1973afa7d00a0f5d456811b6f914d7c7b91adf3fe
SHA256a8325ebb8808291659830d82e7d3dee425db08f44281ae0088fadb5c553f9159
SHA512d1afb0825216538b2599696013982fdaf95e1c8446c0858ced886e2046960a4bfbdab14e0db358ad4e6445430c9b1c281c7213c9face10672eafbf9a5533d796
-
memory/240-57-0x0000000000000000-mapping.dmp
-
memory/240-58-0x000007FEFB5A1000-0x000007FEFB5A3000-memory.dmpFilesize
8KB
-
memory/240-59-0x0000000001B60000-0x0000000001BC8000-memory.dmpFilesize
416KB
-
memory/240-65-0x0000000002F00000-0x0000000002F10000-memory.dmpFilesize
64KB
-
memory/932-64-0x0000000000000000-mapping.dmp
-
memory/1416-61-0x0000000000000000-mapping.dmp
-
memory/1912-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1912-55-0x0000000000610000-0x000000000064A000-memory.dmpFilesize
232KB
-
memory/1912-56-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1912-62-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB