gozi_ifsb | fb6856b2e1967b9bebf8deb3f3ea2994cf437e6184d9dc99ee53c92c531d0e27

General

Target

37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe
Size

539KB
MD5

10fda777cc56f004e90a4037e1e2cdcc
SHA1

2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9
SHA256

37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028
SHA512

9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

Score

10^/10

gozi_ifsb banker persistence trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

ctl3prop.exe

pid process

1580 ctl3prop.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1684 cmd.exe

pid	process
1580	ctl3prop.exe

pid	process
1684	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\dcimLSys = "C:\\Users\\Admin\\AppData\\Roaming\\bididlgs\\ctl3prop.exe"	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.execmd.execmd.exe

description	pid	process	target process
PID 1944 wrote to memory of 1660	1944	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	cmd.exe
PID 1944 wrote to memory of 1660	1944	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	cmd.exe
PID 1944 wrote to memory of 1660	1944	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	cmd.exe
PID 1944 wrote to memory of 1660	1944	37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe	cmd.exe
PID 1660 wrote to memory of 1684	1660	cmd.exe	cmd.exe
PID 1660 wrote to memory of 1684	1660	cmd.exe	cmd.exe
PID 1660 wrote to memory of 1684	1660	cmd.exe	cmd.exe
PID 1660 wrote to memory of 1684	1660	cmd.exe	cmd.exe
PID 1684 wrote to memory of 1580	1684	cmd.exe	ctl3prop.exe
PID 1684 wrote to memory of 1580	1684	cmd.exe	ctl3prop.exe
PID 1684 wrote to memory of 1580	1684	cmd.exe	ctl3prop.exe
PID 1684 wrote to memory of 1580	1684	cmd.exe	ctl3prop.exe

C:\Users\Admin\AppData\Local\Temp\37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe
"C:\Users\Admin\AppData\Local\Temp\37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\911A\C88D.bat" "C:\Users\Admin\AppData\Roaming\bididlgs\ctl3prop.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C ""C:\Users\Admin\AppData\Roaming\bididlgs\ctl3prop.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Users\Admin\AppData\Roaming\bididlgs\ctl3prop.exe
      "C:\Users\Admin\AppData\Roaming\bididlgs\ctl3prop.exe" "C:\Users\Admin\AppData\Local\Temp\37E185~1.EXE"
      4⤵
      Executes dropped EXE
      PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\911A\C88D.bat

MD5
3e1f8dfc8ad1e573743156fd2bd7af64

SHA1
50b47d8af0e4da85007e1fca873f9fa9d475fca1

SHA256
385c03673b6cbb7cb6b5d545ea2a4ff1f646471d82c27a9a99cb5abf5413caf9

SHA512
4f63fb1966f887b1f3dc4995e3a04e8ab26286af33e3cba6891eb3ed6fe0e87aec7637c4281c6005ac924fc89b257ba2b323aef683384cd27329286a3b690516

Download Submit
C:\Users\Admin\AppData\Roaming\bididlgs\ctl3prop.exe

MD5
10fda777cc56f004e90a4037e1e2cdcc

SHA1
2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9

SHA256
37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028

SHA512
9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

Download Submit
C:\Users\Admin\AppData\Roaming\bididlgs\ctl3prop.exe

MD5
10fda777cc56f004e90a4037e1e2cdcc

SHA1
2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9

SHA256
37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028

SHA512
9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

Download Submit
\Users\Admin\AppData\Roaming\bididlgs\ctl3prop.exe

MD5
10fda777cc56f004e90a4037e1e2cdcc

SHA1
2827b8e86f8eb6a2f07ed13d7e237eef5420e5e9

SHA256
37e185e2b05b3d448b2096d3b5d104fafce47991e6a7634340c1b28b2bee8028

SHA512
9a9c6af054c8bc6d53e44dcb1650b17409d2229d539272d73b86c001a04f775d78c543361c4d8d53204a4519899ca31a3e4db31e02503e17a561621dc15ff088

Download Submit
memory/1580-69-0x0000000000000000-mapping.dmp

Download
memory/1660-64-0x0000000000000000-mapping.dmp

Download
memory/1684-66-0x0000000000000000-mapping.dmp

Download
memory/1944-60-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1944-61-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1944-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing