Analysis
-
max time kernel
142s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 00:18
Static task
static1
Behavioral task
behavioral1
Sample
277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe
Resource
win10v2004-20220812-en
General
-
Target
277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe
-
Size
366KB
-
MD5
cafb427e5aaf01dc82002021fa1c5211
-
SHA1
5936a585083d8d8955b70fdf0153071de2360af3
-
SHA256
277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e
-
SHA512
78880cca364376381a90852c2f58238f2540fcd1fd6569349ed523e25528ff15f474063fba682526ce485faa0811f766fea7877c0f87d7c18c6ada396a3074ad
-
SSDEEP
6144:+xyioeXqoRmL/ymMFr/fFZPU6cCl2SHZrsSNwNkYU4Br29E+pVhu:+xyHeXqUm7yxFXP3l5rs8gr2U
Malware Config
Extracted
gozi
Extracted
gozi
1012
lolila.net
vndjtu968488.ru
moriyurw368798.ru
-
build
213459
-
exe_type
worker
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1836 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\capiutil = "C:\\Windows\\system32\\drtptprf.exe" 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe -
Drops file in System32 directory 2 IoCs
Processes:
277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exedescription ioc process File created C:\Windows\system32\drtptprf.exe 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe File opened for modification C:\Windows\system32\drtptprf.exe 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5528.tmp" 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exedescription pid process target process PID 1872 set thread context of 2000 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exepid process 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2000 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exepid process 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe Token: 33 1432 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1432 AUDIODG.EXE Token: 33 1432 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1432 AUDIODG.EXE Token: SeShutdownPrivilege 2000 explorer.exe Token: SeShutdownPrivilege 2000 explorer.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
explorer.exepid process 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe 2000 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 2000 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.execmd.exedescription pid process target process PID 1872 wrote to memory of 2000 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe explorer.exe PID 1872 wrote to memory of 2000 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe explorer.exe PID 1872 wrote to memory of 2000 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe explorer.exe PID 1872 wrote to memory of 2000 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe explorer.exe PID 1872 wrote to memory of 2000 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe explorer.exe PID 1872 wrote to memory of 2000 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe explorer.exe PID 1872 wrote to memory of 2000 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe explorer.exe PID 1872 wrote to memory of 1836 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe cmd.exe PID 1872 wrote to memory of 1836 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe cmd.exe PID 1872 wrote to memory of 1836 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe cmd.exe PID 1872 wrote to memory of 1836 1872 277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe cmd.exe PID 1836 wrote to memory of 1680 1836 cmd.exe attrib.exe PID 1836 wrote to memory of 1680 1836 cmd.exe attrib.exe PID 1836 wrote to memory of 1680 1836 cmd.exe attrib.exe PID 1836 wrote to memory of 1680 1836 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe"C:\Users\Admin\AppData\Local\Temp\277aa77ab002d347d1c48c3f7287016834a7569177d266f9c5b6eaed1c4e237e.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7CFB.bat" "C:\Users\Admin\AppData\Local\Temp\277AA7~1.EXE""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\277AA7~1.EXE"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5781⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7CFB.batFilesize
72B
MD594fbfa9eefddf7259c18df5ea814f331
SHA1472879da9a1285ee1e9830f67f3e2bcf486452ad
SHA2562c8cec5a1b1b6b3e4eb283e03aff76806e3b4ea88b973ee1e9fe6e08707118d1
SHA5127c8aafc9ffd0b7f05a29241347da5942817544439d0e4c16899a7fd153b63f16a89fc5f5a6803eda74408baa65fbd25d0f340a342545df18c2f92f278402359e
-
memory/1680-63-0x0000000000000000-mapping.dmp
-
memory/1836-60-0x0000000000000000-mapping.dmp
-
memory/1872-54-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/1872-56-0x0000000000250000-0x0000000000289000-memory.dmpFilesize
228KB
-
memory/1872-57-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/1872-61-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/2000-55-0x0000000000000000-mapping.dmp
-
memory/2000-58-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmpFilesize
8KB
-
memory/2000-59-0x00000000002D0000-0x0000000000338000-memory.dmpFilesize
416KB
-
memory/2000-64-0x0000000002EA0000-0x0000000002EB0000-memory.dmpFilesize
64KB