Analysis
-
max time kernel
145s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:25
Static task
static1
Behavioral task
behavioral1
Sample
95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe
Resource
win7-20220901-en
General
-
Target
95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe
-
Size
721KB
-
MD5
241b27f617d5091e90fcdc80a7b73345
-
SHA1
310c218d7b10260edcab87b344e73b47717e0e59
-
SHA256
95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745
-
SHA512
a6a2d397fdd32143b984675e2a91a53f5c04e2b96035559e77b53d4125d6f7d0089dab6c5a0d11c44be54ee3cb3d225e6141b9907714643b69a904db04ce6f1a
-
SSDEEP
12288:jbvWtRlbbdWyQxz7fjEAikoynNPDXwli/1TPnKawfJQjGVN34Obd/LBkzIwO95Hm:jbvWtRldWyQJfjEAikowPDXwli/1TnfQ
Malware Config
Extracted
gozi
Extracted
gozi
1000
dipsitripsikey70.com/adwordsdata/dropbox/xxx
underbulletkey77.com/adwordsdata/dropbox/xxx
statisticaregger32.com/adwordsdata/dropbox/xxx
-
exe_type
worker
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 524 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dpmoprov = "C:\\Windows\\system32\\cmstwave.exe" 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe -
Drops file in System32 directory 2 IoCs
Processes:
95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exedescription ioc process File created C:\Windows\system32\cmstwave.exe 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe File opened for modification C:\Windows\system32\cmstwave.exe 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exedescription pid process target process PID 1464 set thread context of 1324 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exepid process 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1324 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exepid process 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1324 explorer.exe Token: SeShutdownPrivilege 1324 explorer.exe Token: SeShutdownPrivilege 1324 explorer.exe Token: SeShutdownPrivilege 1324 explorer.exe Token: SeShutdownPrivilege 1324 explorer.exe Token: SeShutdownPrivilege 1324 explorer.exe Token: SeShutdownPrivilege 1324 explorer.exe Token: SeShutdownPrivilege 1324 explorer.exe Token: SeShutdownPrivilege 1324 explorer.exe Token: SeShutdownPrivilege 1324 explorer.exe Token: 33 1584 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1584 AUDIODG.EXE Token: 33 1584 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1584 AUDIODG.EXE Token: SeShutdownPrivilege 1324 explorer.exe Token: SeShutdownPrivilege 1324 explorer.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
explorer.exepid process 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe 1324 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 1324 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.execmd.exedescription pid process target process PID 1464 wrote to memory of 1324 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe explorer.exe PID 1464 wrote to memory of 1324 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe explorer.exe PID 1464 wrote to memory of 1324 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe explorer.exe PID 1464 wrote to memory of 1324 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe explorer.exe PID 1464 wrote to memory of 1324 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe explorer.exe PID 1464 wrote to memory of 1324 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe explorer.exe PID 1464 wrote to memory of 1324 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe explorer.exe PID 1464 wrote to memory of 524 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe cmd.exe PID 1464 wrote to memory of 524 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe cmd.exe PID 1464 wrote to memory of 524 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe cmd.exe PID 1464 wrote to memory of 524 1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe cmd.exe PID 524 wrote to memory of 240 524 cmd.exe attrib.exe PID 524 wrote to memory of 240 524 cmd.exe attrib.exe PID 524 wrote to memory of 240 524 cmd.exe attrib.exe PID 524 wrote to memory of 240 524 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe"C:\Users\Admin\AppData\Local\Temp\95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1324 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7098451.bat" "C:\Users\Admin\AppData\Local\Temp\95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe"3⤵
- Views/modifies file attributes
PID:240
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5a01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7098451.batFilesize
72B
MD56616957471465a332974f173a82596db
SHA1e1402fdbcec36616139ca45ffbf0d56a47c80bb4
SHA2567a7590e3513f4a56de8b4aa67bc0624eb322baaea2a4205cc29520f458bea6c2
SHA51256824f1e5f57da2dab5b06a7ab07f4924588999dc37ade23ce6f5ac99c63bcb0d0c84e801141db69c853a4be7d07c14b28660cb5564395da6b765c42dec83ab6
-
memory/240-63-0x0000000000000000-mapping.dmp
-
memory/524-61-0x0000000000000000-mapping.dmp
-
memory/1324-58-0x0000000000000000-mapping.dmp
-
memory/1324-59-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmpFilesize
8KB
-
memory/1324-60-0x0000000000330000-0x00000000003AF000-memory.dmpFilesize
508KB
-
memory/1324-64-0x0000000000330000-0x00000000003AF000-memory.dmpFilesize
508KB
-
memory/1464-54-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/1464-55-0x0000000000400000-0x0000000000693000-memory.dmpFilesize
2.6MB
-
memory/1464-57-0x00000000002B0000-0x00000000002B4000-memory.dmpFilesize
16KB