Analysis
-
max time kernel
118s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 00:19
Static task
static1
Behavioral task
behavioral1
Sample
243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe
Resource
win10v2004-20221111-en
General
-
Target
243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe
-
Size
400KB
-
MD5
f2c99d1468069fee1417e16f09bba493
-
SHA1
d2e4cea9cf77cfddfad8f4eb572d1c8e64c64256
-
SHA256
243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92
-
SHA512
8a27e5ff21e73934269381b1359ebc49725519ae9cbdf36ab4c5bba27860fbb6132748d496979373877599bb9bb98f68cd7782b2438c10e46404fdcd7d56177b
-
SSDEEP
6144:aeKC53Hp0o69kRx7B3eAziFDVvXiSp2xdrlYYZRMFf:pKCl969k77Bxi/crhZRM5
Malware Config
Extracted
gozi
Extracted
gozi
1012
lolila.net
vndjtu968488.ru
moriyurw368798.ru
-
build
213425
-
exe_type
worker
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2032 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\capiutil = "C:\\Windows\\system32\\drtptprf.exe" 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe -
Drops file in System32 directory 2 IoCs
Processes:
243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exedescription ioc process File created C:\Windows\system32\drtptprf.exe 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe File opened for modification C:\Windows\system32\drtptprf.exe 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DE45.tmp" 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exedescription pid process target process PID 904 set thread context of 1464 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exepid process 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1464 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exepid process 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1464 explorer.exe Token: SeShutdownPrivilege 1464 explorer.exe Token: SeShutdownPrivilege 1464 explorer.exe Token: SeShutdownPrivilege 1464 explorer.exe Token: SeShutdownPrivilege 1464 explorer.exe Token: SeShutdownPrivilege 1464 explorer.exe Token: SeShutdownPrivilege 1464 explorer.exe Token: SeShutdownPrivilege 1464 explorer.exe Token: SeShutdownPrivilege 1464 explorer.exe Token: SeShutdownPrivilege 1464 explorer.exe Token: 33 1196 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1196 AUDIODG.EXE Token: 33 1196 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1196 AUDIODG.EXE Token: SeShutdownPrivilege 1464 explorer.exe Token: SeShutdownPrivilege 1464 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
Processes:
explorer.exepid process 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe 1464 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 1464 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.execmd.exedescription pid process target process PID 904 wrote to memory of 1464 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe explorer.exe PID 904 wrote to memory of 1464 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe explorer.exe PID 904 wrote to memory of 1464 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe explorer.exe PID 904 wrote to memory of 1464 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe explorer.exe PID 904 wrote to memory of 1464 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe explorer.exe PID 904 wrote to memory of 1464 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe explorer.exe PID 904 wrote to memory of 1464 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe explorer.exe PID 904 wrote to memory of 2032 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe cmd.exe PID 904 wrote to memory of 2032 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe cmd.exe PID 904 wrote to memory of 2032 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe cmd.exe PID 904 wrote to memory of 2032 904 243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe cmd.exe PID 2032 wrote to memory of 2024 2032 cmd.exe attrib.exe PID 2032 wrote to memory of 2024 2032 cmd.exe attrib.exe PID 2032 wrote to memory of 2024 2032 cmd.exe attrib.exe PID 2032 wrote to memory of 2024 2032 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe"C:\Users\Admin\AppData\Local\Temp\243468fa4552f6fbdf4add8ad8297335d45b5aa828464377b3c3ca82ab0d9e92.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5A10.bat" "C:\Users\Admin\AppData\Local\Temp\243468~1.EXE""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\243468~1.EXE"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4941⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5A10.batFilesize
72B
MD5cceb138b2f3dcf103a26edb15afdfbda
SHA110948a0bfaa9cc70eab20b482b101e10db175290
SHA25617fa336fbea4321ae87e68555dfd6a6381e1c83eb1b729002582d99b6a2d5830
SHA5129d45e685eaba83a7da4800f827adff5c1224ea16cb4c2b2629a5e359eaab196c351858db756d5a3e754347e61d4277def4938c64fea130724ed95a444ab29aea
-
memory/904-54-0x0000000075B41000-0x0000000075B43000-memory.dmpFilesize
8KB
-
memory/904-56-0x0000000000250000-0x000000000028A000-memory.dmpFilesize
232KB
-
memory/904-58-0x0000000000400000-0x0000000003929000-memory.dmpFilesize
53.2MB
-
memory/904-63-0x0000000000400000-0x0000000003929000-memory.dmpFilesize
53.2MB
-
memory/1464-55-0x0000000000000000-mapping.dmp
-
memory/1464-57-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmpFilesize
8KB
-
memory/1464-59-0x00000000002E0000-0x0000000000348000-memory.dmpFilesize
416KB
-
memory/2024-62-0x0000000000000000-mapping.dmp
-
memory/2032-60-0x0000000000000000-mapping.dmp