Analysis
-
max time kernel
24s -
max time network
27s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 19:36
Static task
static1
Behavioral task
behavioral1
Sample
applecleaner.exe
Resource
win7-20240221-en
General
-
Target
applecleaner.exe
-
Size
11KB
-
MD5
22e3095c8cf11dc93358b7d9fc4a52ed
-
SHA1
77f41d9876aa2eabb64260281f9ae469c7e2f7fc
-
SHA256
6751c45698a1ebc492e3b1900d96c618ac0cd2a80ca56d3ba974fdfe43431ace
-
SHA512
6e812c89510d83ee673a98228aff2922aa125fc609240640f1980103305b1108fed10993caa017c390bff00fa68e8be4295d50fcdb65a04e4ade7227eb200d56
-
SSDEEP
192:5N8JZBfYtfqkDUedD8tUhKIziFcfqg9uldFwE9wtgH6:5NiBAtfqk9d4tOKJCHEmmH
Malware Config
Extracted
gozi
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation applecleaner.exe -
Executes dropped EXE 2 IoCs
pid Process 1868 gbseook1.exe 4460 gbseook1.exe -
Loads dropped DLL 1 IoCs
pid Process 2008 applecleaner.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 34 raw.githubusercontent.com 35 raw.githubusercontent.com 72 discord.com 73 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1100 schtasks.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\tokyopear2457567.vbs" reg.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell\open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" reg.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 2008 applecleaner.exe 2008 applecleaner.exe 2008 applecleaner.exe 2008 applecleaner.exe 3148 taskmgr.exe 1868 gbseook1.exe 1868 gbseook1.exe 4460 gbseook1.exe 4460 gbseook1.exe 3148 taskmgr.exe 2008 applecleaner.exe 2008 applecleaner.exe 2008 applecleaner.exe 2008 applecleaner.exe 2008 applecleaner.exe 2008 applecleaner.exe 2008 applecleaner.exe 2008 applecleaner.exe 2008 applecleaner.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2008 applecleaner.exe Token: SeDebugPrivilege 3148 taskmgr.exe Token: SeSystemProfilePrivilege 3148 taskmgr.exe Token: SeCreateGlobalPrivilege 3148 taskmgr.exe Token: SeDebugPrivilege 1868 gbseook1.exe Token: SeDebugPrivilege 4460 gbseook1.exe Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: 33 3148 taskmgr.exe Token: SeIncBasePriorityPrivilege 3148 taskmgr.exe Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE Token: SeShutdownPrivilege 3368 Explorer.EXE Token: SeCreatePagefilePrivilege 3368 Explorer.EXE -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3368 Explorer.EXE 3368 Explorer.EXE -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3148 taskmgr.exe 3368 Explorer.EXE 3368 Explorer.EXE -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2008 wrote to memory of 4012 2008 applecleaner.exe 93 PID 2008 wrote to memory of 4012 2008 applecleaner.exe 93 PID 2008 wrote to memory of 4012 2008 applecleaner.exe 93 PID 2008 wrote to memory of 1060 2008 applecleaner.exe 95 PID 2008 wrote to memory of 1060 2008 applecleaner.exe 95 PID 2008 wrote to memory of 1060 2008 applecleaner.exe 95 PID 2008 wrote to memory of 4996 2008 applecleaner.exe 97 PID 2008 wrote to memory of 4996 2008 applecleaner.exe 97 PID 2008 wrote to memory of 4996 2008 applecleaner.exe 97 PID 4996 wrote to memory of 2256 4996 cmd.exe 99 PID 4996 wrote to memory of 2256 4996 cmd.exe 99 PID 4996 wrote to memory of 2256 4996 cmd.exe 99 PID 2256 wrote to memory of 2096 2256 ComputerDefaults.exe 100 PID 2256 wrote to memory of 2096 2256 ComputerDefaults.exe 100 PID 2256 wrote to memory of 2096 2256 ComputerDefaults.exe 100 PID 2096 wrote to memory of 4472 2096 wscript.exe 101 PID 2096 wrote to memory of 4472 2096 wscript.exe 101 PID 2096 wrote to memory of 4472 2096 wscript.exe 101 PID 2008 wrote to memory of 4548 2008 applecleaner.exe 105 PID 2008 wrote to memory of 4548 2008 applecleaner.exe 105 PID 2008 wrote to memory of 4548 2008 applecleaner.exe 105 PID 4548 wrote to memory of 1100 4548 cmd.exe 108 PID 4548 wrote to memory of 1100 4548 cmd.exe 108 PID 4548 wrote to memory of 1100 4548 cmd.exe 108 PID 2008 wrote to memory of 1868 2008 applecleaner.exe 115 PID 2008 wrote to memory of 1868 2008 applecleaner.exe 115 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 2008 wrote to memory of 4460 2008 applecleaner.exe 116 PID 2008 wrote to memory of 4460 2008 applecleaner.exe 116 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 1868 wrote to memory of 3148 1868 gbseook1.exe 110 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56 PID 4460 wrote to memory of 3368 4460 gbseook1.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\applecleaner.exe"C:\Users\Admin\AppData\Local\Temp\applecleaner.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\tokyopear2457567.vbs" /f3⤵
- Modifies registry class
PID:4012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f3⤵
- Modifies registry class
PID:1060
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C computerdefaults.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\ComputerDefaults.execomputerdefaults.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\tokyopear2457567.vbs5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts6⤵PID:4472
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN AutoCADUpdateService_E5V2ENLNGzQsovpHQ050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\E5V2ENLNGzQsovpHQ050MX.exe" /RL HIGHEST /IT3⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC ONLOGON /TN AutoCADUpdateService_E5V2ENLNGzQsovpHQ050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\E5V2ENLNGzQsovpHQ050MX.exe" /RL HIGHEST /IT4⤵
- Creates scheduled task(s)
PID:1100
-
-
-
C:\Users\Admin\AppData\Local\Temp\gbseook1.exe"C:\Users\Admin\AppData\Local\Temp\gbseook1.exe" Taskmgr.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\gbseook1.exe"C:\Users\Admin\AppData\Local\Temp\gbseook1.exe" explorer.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3148
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD56f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA25670e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b
-
Filesize
124KB
MD5e898826598a138f86f2aa80c0830707a
SHA11e912a5671f7786cc077f83146a0484e5a78729c
SHA256df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a
SHA5126827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb
-
Filesize
171B
MD5a34267102c21aff46aecc85598924544
SHA177268af47c6a4b9c6be7f7487b2c9b233d49d435
SHA256eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44
SHA5125d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3