Analysis
-
max time kernel
2s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 03:04
Static task
static1
Behavioral task
behavioral1
Sample
32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exe
Resource
win7-20221111-en
General
-
Target
32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exe
-
Size
519KB
-
MD5
bb58a8b53de601ea988fd59a3936269c
-
SHA1
d5dd36f0c049674d4e9543e4029d0b5c93190635
-
SHA256
32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb
-
SHA512
eca79e2bd5c95de2d4ffeb338dd4ed3e8282155aa39236e401fc10c047a53f3448a0abeb660bfa16a3422c3a7d5d01a3cfe3afabc720b8a1d300ab262065a6a6
-
SSDEEP
12288:hq054W6lCMdPpHYk6qHeitmW0sTl0c8DdxLPbV:AG6hnHL6ngjbvyTV
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1488 cmd.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of UnmapMainImage 1 IoCs
Processes:
32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exepid process 2032 32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.execmd.exedescription pid process target process PID 2032 wrote to memory of 1488 2032 32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exe cmd.exe PID 2032 wrote to memory of 1488 2032 32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exe cmd.exe PID 2032 wrote to memory of 1488 2032 32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exe cmd.exe PID 2032 wrote to memory of 1488 2032 32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exe cmd.exe PID 1488 wrote to memory of 1360 1488 cmd.exe attrib.exe PID 1488 wrote to memory of 1360 1488 cmd.exe attrib.exe PID 1488 wrote to memory of 1360 1488 cmd.exe attrib.exe PID 1488 wrote to memory of 1360 1488 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exe"C:\Users\Admin\AppData\Local\Temp\32b415619fa55b18681cf71becec927a8d51e47e9005699808a8dfee0f1e85eb.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BD28.bat" "C:\Users\Admin\AppData\Local\Temp\32B415~1.EXE""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\32B415~1.EXE"3⤵
- Views/modifies file attributes
PID:1360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BD28.batFilesize
72B
MD5b72dc5255b6c7891ed183d4bb51f5980
SHA1d8812362239b8417fe035556d38e5c1c637085fa
SHA256f6220172fb87849846593e876b305ce681498601b174dd20fee136b8a5dd5d56
SHA512c3e12ee17e682bf189004b39d8f217c7d81e45465df8d1c8c109c902ec5d1f884c54d13946ee385f7a28ccca2671f3da172f5342a77511b4e7f1460889ff7a07
-
memory/1360-64-0x0000000000000000-mapping.dmp
-
memory/1488-60-0x0000000000000000-mapping.dmp
-
memory/2032-54-0x00000000753F1000-0x00000000753F3000-memory.dmpFilesize
8KB
-
memory/2032-55-0x0000000000380000-0x0000000000392000-memory.dmpFilesize
72KB
-
memory/2032-61-0x0000000000220000-0x000000000025E000-memory.dmpFilesize
248KB
-
memory/2032-62-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB