Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
15-05-2024 17:13
General
-
Target
z1.exe
-
Size
157KB
-
MD5
6abfecb8d7115c6efdf0c41d97f13dcf
-
SHA1
785f67febde6a9f084d6b41bebdd2ac7cc0d788e
-
SHA256
eedce41f2642f9e2b640464df4a305522cb5caec2267cd38411608e67b4a91bc
-
SHA512
980a5aa19454140b17571a286291cac4ceabbde9c2dc0a763c3401592428d23f2bc38bc9b6686f160d99af4ffc38d0f33b6b61b3d5a89e1766ca6e3333cb875c
-
SSDEEP
3072:JhWoilJVQcCkW5VMw2CYDTKvZat753W+WCUUyT:J3GJVkkMVBaF75dGh
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.html
Extracted
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\# DECRYPT MY FILES #.txt
http://cerberhhyed5frqa.kipfgs65s.com/FE5E-22DD-CEA9-0067-3846
http://cerberhhyed5frqa.easypaybtc.com/FE5E-22DD-CEA9-0067-3846
http://cerberhhyed5frqa.fastpaybtc.com/FE5E-22DD-CEA9-0067-3846
http://cerberhhyed5frqa.onion.cab/FE5E-22DD-CEA9-0067-3846
http://cerberhhyed5frqa.onion.to/FE5E-22DD-CEA9-0067-3846
http://cerberhhyed5frqa.onion/FE5E-22DD-CEA9-0067-3846
Signatures
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Contacts a large (16393) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\z1.exe"C:\Users\Admin\AppData\Local\Temp\z1.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\ReAgentc.exe"C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\ReAgentc.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:108 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "ReAgentc.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\ReAgentc.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "ReAgentc.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "z1.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\z1.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "z1.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {9CDA2CC5-DD98-4A00-AA55-ED3F121EB9AF} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\ReAgentc.exeC:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\ReAgentc.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD543497ccaf76a247fa84ca7bff8997efb
SHA1f5353dd7078a6e5d56acfe7590e7bc79ea9847d7
SHA2568cc6df53c9cdaef0ea3bf566f9ebbd8d63ffdc5f5cf0c25819d199a6229b11de
SHA512781ce76965f1566b32ae89063d155078eba0d2387f80b816310aeca06330afa9c9a0d9f3ccffb1d7307394625e488a04313f3710ee9292c098f987379feb53d9
-
Filesize
10KB
MD5b4875c9cb4cbff25f406b6234b2f1678
SHA16d43d5e759300d0dc2906cf6fc1618a540d6804e
SHA256f103fdc9ed647bb8301bbca9ac88c202a216ee8058b96b2ae98bb46e4d1fe3c4
SHA5128d5e015ea21fb50c27d1f056104610250de3bf02e9351c531bde250235500f982ca2506f8d4c2a2fea1a82d9919853a5f550b184f31af5805c2c688b33ec1ef7
-
Filesize
204B
MD5f4f62c6f03227c16f4224d94f3df3290
SHA1e5d588a1fba64c8886685b948f51550e4807431e
SHA256794ae25ea84923dbb539d6c7fba91206d56f11606a853ccb1dad54a8f84cebe2
SHA512bcb43c92f5c95dfe301d4c2c219d9dfdebf8b47336c190a639e7436229ae6f7c16b861c422f3c054121962caced526a0d397eb1d93536fcf13e836c0fda67363
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD53ba75b014cf4ad87045bb92ff56054e7
SHA114d070cbf3430e971f1cf5c6c3e8e70626b39451
SHA256fffe562d0b3eedb273895592a2bd7699ce520c1ad980a36ddf5d8f91514da28a
SHA512ae457895e5b1179156b659bf11bea49a47c0938ab779df90088c0f978b9343ae52a837ef1ecc491f5698f1c6008be168e1e963daa03e8507e2454a4ea3cdf82b
-
Filesize
344B
MD5b7c2ca2b78dc24d00439534b0bcdef00
SHA171bf257a25a5efea1655b480e6503f57b2c56b10
SHA256a239af433f77b4b5252b90014c42d752a1372a6d91994a65cb9c04e89b677312
SHA5122929c35d3652cd0a1ee6d443baf7d1c4038514df72f4267fd38448cba50bf386fdb9f5b0422606d509c920a69602896caf5182ad6b6ea01e997a87de7704255a
-
Filesize
344B
MD585727fa24415e87ded73f0565a0e0cfc
SHA1c3b750efcb1c549cb24035520454a93b446d0736
SHA256575df2f398999af73435b78146fab1723b12e57850678aa2dc58389193ea030f
SHA51207400a06974f6f0a9d208fc84f62d944cdbabe5e4f03ffb1a08e60cd951aee2228a65c46e92e27f8906cb7b35e23727e1228ad5bb1ea295b19b1cd6902ee99a8
-
Filesize
344B
MD5f41d0130a8847726c3b80bc4c05ac6d2
SHA100d21ab7bb7632de06a335b0430f55eb08e77cf1
SHA2563a65739394ff5e8662b60ca9a0c6c3c660a031cf9f54471fd331efc87267c213
SHA512205d43e7f611cd59d619d0420789786d54f89b7a814e4d7030199d4e21ae37803817aa330636ca30965e04b306ab142a31a71f761d192c2610a85130e3de4608
-
Filesize
344B
MD58290007d4ad9febbd496e6158945a8a6
SHA175dd98d4fe45cb5df682aef2fa5711af7ac3f59c
SHA256b963648207f208d8ae747250d68fd0aa9e639735f9132bc531d20f895e926b4d
SHA5128ea9187e014bb114abeb491799bd075d41d028c94e641934c9ce7b3eb8f46fccb98503ffa4ff5d6573837ce5832153f8194101f8047126ee156aba4ae09b59be
-
Filesize
344B
MD53ef20306b5bd5c036cf85260d99943e1
SHA184cb4cd7af2e4e486790240882b19e2807b4b658
SHA2560b2551ec1c488a62aeb8151ce882c097f6c2a736e6d803851ef19592362e53c1
SHA512080795c1dfae17499eb732443128af4b32ef2ac69b639791466a95c49d4f411d4e27a7d7649156e5150b1680b028f4a5f75c6feacc70b2aed2f5044276f34cac
-
Filesize
344B
MD5c743eab4c6855176060102d222d83058
SHA1e9b280266e1383ad8f00a74fe816a333ec31831f
SHA256594f20b5c425268b600b884319ef65bc65bc5faf406804509c4a61c260f2b8f9
SHA5129e5548ba087ebd1bb6f956d716c553b2d5cbb092b1eac02167d6ad8276e15dc9a91f4935c9ac5721f07e8ffce4c5c609acd70ead12ddf839dd7eeb3490262eda
-
Filesize
344B
MD59e72930fb49b262692d37a23a35b9152
SHA13d8b5078a7132fa6e2da6599734483da2a8a90f7
SHA2565d8a0d33b8ce4109f70443cada03266050784a9f99f8d0a2d7bacebd409837fa
SHA51204b56ea09e1a48cf2a0ef170f8188bb54774a224259cceedab8f84501330df580d95049595d40b4d656789618f33f4bb9b5212e177f64482755bd623a1691060
-
Filesize
344B
MD5e08d68799dc21c7046f059e15df36227
SHA19e3ce640423820c787625ba8ef0b7035066b44f8
SHA2563ea64ecdcca42140347427a19a8b789982a80c6402cdeb9e4ac5869d26e6a780
SHA5122c1a8002e00933145f533b67fd75b563ea78b856d2808f5936934a0a0ed8bbbd25783498a8c967d7d63c0371d3826cc04752892d0de2f3e40b5d06c365ad396a
-
Filesize
344B
MD5da6b6a146d6fd8411593aa4f6de5eb4d
SHA187867824aac2ff8ec4c16a3b79ca1b0d7b090bab
SHA2568413dd05e772aa67bf6941ff7588b1fde8fcadc4cd89837cf35d6cf1787c05ae
SHA5121433be2544a93cc92ec99c15bb61267bf0e14d39cfe5e5a2f3b421ea321047a4ae62a2feeaaf02acf9a17fe4e9c65679f23b7f2a8ec7f7fdd642090d6e2dd29b
-
Filesize
344B
MD57d8854db67be2ea56f6854d54f533f64
SHA11d2bb96e1ae56ab91f296547ea5584734277a03a
SHA25631112d0b6f29a2ba753c33e0e22683ded6e69be12153d622088bfc36ef946125
SHA5126d0c11d1cefdc03c13b74267ed0f0b3e8eba8c99660b680559eb3b1e8c008689edbaea5c8ea0a001e748f3033bdab09f4e9669aa465a249de4f27307d770f82f
-
Filesize
344B
MD564244da176e8c0094381445d1d0e1867
SHA19208ca74fc4e9cdb310698df7237e98571686c7d
SHA2568a9b94db52f506b53e083eeee1efe8ce1cb643466853b664a7338f8021da0326
SHA5124f989bca092dc256e1c2c5a94acbb58a8bc8b62c2d8fbf0a6df010e17a5ad8f16d5d912ce405c8910470a168308166e73a91e6a8a32d1e8a2a606986389d141b
-
Filesize
344B
MD5d950a1551ba237cba03a1eacf944290c
SHA1d305d9a5cbab363d5c40cfa4e3e8448b896c7b27
SHA2560e895f6e531340e3a7821c6ca03caa26412fe574c52b0f0572bf2c54650e004f
SHA51292a7f0a2a411ba54c16760544b2c9c4c1b9381d259d4210a3a6aa92bfc03bdbe3ec200e3a9ec481ed2d40e73a78a28458119d741a761acf7d09b4cebcb0e3f6f
-
Filesize
344B
MD5409bd0c1a728272c4031794cfe0e8b53
SHA1a1149ff56ec12e76c0ba1d4ed2fd99721682d085
SHA2565ce186018e28a5a1710df9e6e70ad406e9d101db088805e7c94ed2409ea8d545
SHA512633edada6c2149a7ec3acdbfc34ce3d91738daf579655cc188fc9b255b1ee9a586f0c1cc8952b849f8f6ff06a8d4e3a22a5485a56680591498117df23443a808
-
Filesize
344B
MD5389e794a6d5e4f399e7ee695a1ab2cfc
SHA1ddfb5551cec1d8a85944a4391a5a372086657d20
SHA256afc89d8c6d0fbad1d2272279e9f55bb307e089b3fcc336396044cd2f68d41023
SHA512b354679ff7f57575b9cac9fbf5d728c75b3900db21077a1f20881c25686213f15fe88d2f663a7ebd9f45343b9f7c8222367303ab2a921eaf0b182ee6e1d19707
-
Filesize
344B
MD587361be344f6dcda2e0fc8c3bab034e2
SHA1cea24502a943bffc5a23204e0e0339f0080673f3
SHA25683f681b90a55c79bf725365468523f82c7360002646aed63b06761bec6126806
SHA5124247805b49b7f87cf32c17a1cb3666bfdde0828156ab4f4a874b9d40995dbc7149ae2022acbe65a03e656874cfd2c32a69836717f2d16e38209f31c65fae41d4
-
Filesize
344B
MD520b96ce59da55773f87688473970fa20
SHA1c7cce39ec53cba73bd7816f5d860a6b8601b32d7
SHA2567613b9d13425a9a46872ffe8e09268ee099a7cfb7063a0ab86d82ae7cfd2bae9
SHA5125b3cef7373213035aeb9deca1699ff8db5db6d5c45c2c8e1b793f2455b39dc4d5260e597983e06c4103a3bbf40ff66a710dd1f9b3b2c0fb686446aa40a621886
-
Filesize
242B
MD5bf62c5e2eebde48ae230fdebf6a0aeb8
SHA19470deb3dd73c7374aa4ff4787c3213b5a92c2c2
SHA256d0c51886853e489565825102b083bd73ce7a57ab5e560ab27a7934a0eac2359b
SHA512c4c0dc1f68c1b993249b826eb0497fba040a876a37e2bfab5c0be212f90b3ae6d8faaf8b602c0ebc20717e0f45c38307a494f333dd7cd92a5db84538d6e11737
-
Filesize
4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
1KB
MD533ed02a24e892df649326d2899c3c70f
SHA1d66ceef4f38ea3a118b54666d7dfe4244094d47f
SHA256c07c3192ce42d2ab83b9b3465f7bbd549480817dfcec805dfbfb702850904c3a
SHA512c2e3430711d277ce45dbd50eaa2c43bf1923144f6be43eef62d882cbc7d8755eb60cf9cc6db003765cfb28957ccad791209ab814df17072909e6a4638877d160
-
Filesize
157KB
MD56abfecb8d7115c6efdf0c41d97f13dcf
SHA1785f67febde6a9f084d6b41bebdd2ac7cc0d788e
SHA256eedce41f2642f9e2b640464df4a305522cb5caec2267cd38411608e67b4a91bc
SHA512980a5aa19454140b17571a286291cac4ceabbde9c2dc0a763c3401592428d23f2bc38bc9b6686f160d99af4ffc38d0f33b6b61b3d5a89e1766ca6e3333cb875c
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
124KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
72KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB