Analysis
-
max time kernel
141s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 12:17
Behavioral task
behavioral1
Sample
6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe
Resource
win10v2004-20220812-en
General
-
Target
6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe
-
Size
168KB
-
MD5
919506160ba6d0cf88cb7018c1755410
-
SHA1
49ff026440e403aac2abb6738b9fb42ad46ecdea
-
SHA256
6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405
-
SHA512
72fc023e22708506af2c455d30c252923798b42fe58e54f61dd118d0348fb953234ddd2b38d1a092d9410a35ae65bc3047fee749beab45c90639d25797fedc25
-
SSDEEP
3072:V2zxNCCVUopBzcb7UKtgb+thC+Y4dNdm6iBtBVcRRnQmywwE63CCZwFcTkmp:C3VUopBojeALY0zNiDcbQN137k
Malware Config
Extracted
gozi
1001
redwoodmotors.ru
pampers-globalworld.ru
pinkfloyd-mp3love.ru
sosandhelpconnect.ru
-
build
213425
-
exe_type
worker
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 660 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dpmoprov = "C:\\Windows\\system32\\cmstwave.exe" 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe -
Drops file in System32 directory 2 IoCs
Processes:
6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exedescription ioc process File opened for modification C:\Windows\system32\cmstwave.exe 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe File created C:\Windows\system32\cmstwave.exe 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2774.tmp" 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exedescription pid process target process PID 1184 set thread context of 2020 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exepid process 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2020 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exepid process 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe Token: 33 1128 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1128 AUDIODG.EXE Token: 33 1128 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1128 AUDIODG.EXE Token: SeShutdownPrivilege 2020 explorer.exe Token: SeShutdownPrivilege 2020 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe 2020 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 2020 explorer.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.execmd.exedescription pid process target process PID 1184 wrote to memory of 2020 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe explorer.exe PID 1184 wrote to memory of 2020 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe explorer.exe PID 1184 wrote to memory of 2020 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe explorer.exe PID 1184 wrote to memory of 2020 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe explorer.exe PID 1184 wrote to memory of 2020 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe explorer.exe PID 1184 wrote to memory of 2020 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe explorer.exe PID 1184 wrote to memory of 2020 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe explorer.exe PID 1184 wrote to memory of 660 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe cmd.exe PID 1184 wrote to memory of 660 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe cmd.exe PID 1184 wrote to memory of 660 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe cmd.exe PID 1184 wrote to memory of 660 1184 6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe cmd.exe PID 660 wrote to memory of 1492 660 cmd.exe attrib.exe PID 660 wrote to memory of 1492 660 cmd.exe attrib.exe PID 660 wrote to memory of 1492 660 cmd.exe attrib.exe PID 660 wrote to memory of 1492 660 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe"C:\Users\Admin\AppData\Local\Temp\6c4463df22dba5d021888723eeb5a585c12a8c43ae5b352800dc4ee0f722b405.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\4EDA.bat" "C:\Users\Admin\AppData\Local\Temp\6C4463~1.EXE""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\6C4463~1.EXE"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1b41⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4EDA.batFilesize
72B
MD529c8a35fca1116d8337aa5e1c2c77371
SHA1936142c911113ddd16f76afa2c8caa4a92a8983f
SHA256e8e3ca8b627bc2d1aa8acf47924a0f24c4a007926e4f6fccb7846ea4660d4a96
SHA51218cb9a34a7ea6fc571bb5fd83ae826d588bbde33885177cd988e07ac55b03729a67044796e4de2ef3b2436020b7e318743708b949e92955727c7033814f07d64
-
memory/660-57-0x0000000000000000-mapping.dmp
-
memory/1184-54-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1492-59-0x0000000000000000-mapping.dmp
-
memory/2020-55-0x0000000000000000-mapping.dmp
-
memory/2020-56-0x000007FEFB631000-0x000007FEFB633000-memory.dmpFilesize
8KB
-
memory/2020-60-0x0000000001BC0000-0x0000000001C28000-memory.dmpFilesize
416KB
-
memory/2020-61-0x0000000002EC0000-0x0000000002ED0000-memory.dmpFilesize
64KB