d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d

Analysis

max time kernel
179s
max time network
173s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe
Size

227KB
MD5

a4f4e83d338b668b3e5de2a227619e32
SHA1

9f720978a5630b7bf47bf79bc40baea41de84c4f
SHA256

d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d
SHA512

2104c31040e5c661673c478afab474572a864b402ccca762ec17d490220a5200f976c86d97470b231b36f25452c8179d8cc1264dc9f25b87a1c9a4109e3ac813
SSDEEP

3072:jbQi390ezV3Q7RcaDryukKLeC1TkGNmCjxqX/fI/x0s29ygBqQkmDRK:jR39JsXryukHCRXmCjxqX3LZBOE

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
676	Ghozoa.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1352-54-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0008000000013a0c-58.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	Ghozoa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\2SPI9KEA4C = "C:\\Windows\\Ghozoa.exe"	Ghozoa.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe
File opened for modification	C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job	d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe
File created	C:\Windows\Ghozoa.exe	d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe
File opened for modification	C:\Windows\Ghozoa.exe	d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	Ghozoa.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\International	Ghozoa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe
676	Ghozoa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1352	d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe
676	Ghozoa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 676	1352	d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe	28
PID 1352 wrote to memory of 676	1352	d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe	28
PID 1352 wrote to memory of 676	1352	d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe	28
PID 1352 wrote to memory of 676	1352	d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe	28

C:\Users\Admin\AppData\Local\Temp\d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe
"C:\Users\Admin\AppData\Local\Temp\d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\Ghozoa.exe
  C:\Windows\Ghozoa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Ghozoa.exe

Filesize
227KB

MD5
a4f4e83d338b668b3e5de2a227619e32

SHA1
9f720978a5630b7bf47bf79bc40baea41de84c4f

SHA256
d12bb05c7c81580da6173250294b439d3b8032f6fd3462171af865d0fdd3243d

SHA512
2104c31040e5c661673c478afab474572a864b402ccca762ec17d490220a5200f976c86d97470b231b36f25452c8179d8cc1264dc9f25b87a1c9a4109e3ac813

Download Submit
C:\Windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job

Filesize
408B

MD5
11cb34bde558073443dffb5072f8925d

SHA1
962e770b1ea500fc40e38d24b83d50901c2b4c96

SHA256
47bdb5ec6c8ca64c414b2e3e0510c362c100ebd395b8aa29a3fd9974b87b567f

SHA512
99c4cd4ccfa9f49f4632a5d9b215998086f0ee8c3c190be3a06dd9b578863f7e0c119d8a4526ac2fe450eb30e6a5a4549631587d6d28a173f08eed74fbe07c28

Download Submit
memory/676-57-0x0000000000000000-mapping.dmp

Download
memory/676-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/676-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/676-65-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1352-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1352-55-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1352-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1352-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1352-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download