Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1200s -
max time network
1213s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21/10/2021, 09:41
General
-
Target
80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe
-
Size
273KB
-
MD5
54cd7479c93e54ce8c9784b8b1a0392b
-
SHA1
c3e15e023c4ae835789b82befbe328ae137417ea
-
SHA256
80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764
-
SHA512
cea67d7c1094b107a83c607196d9d4d16e0d7d6b7e5cdaa81d83e52422a9194203680d65b44c106c46a8e47dc6251fe292930e9fcc8b757b7d5242383286afbb
Malware Config
Extracted
gozi_ifsb
10003
127.0.0.1
-
build
214711
-
dga_base_url
z1.zedo.com/robots.txt
-
dga_crc
0xf24ca29e
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe"C:\Users\Admin\AppData\Local\Temp\80e3a54e37f5e83b8bdab98b2ca765baaecb72c303fe44bc85ab85e7ece76764.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B36E\D9B7.bat" "C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\80E3A5~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\80E3A5~1.EXE""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe"C:\Users\Admin\AppData\Roaming\capasnap\Bitshost.exe" "C:\Users\Admin\AppData\Local\Temp\80E3A5~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
-
Filesize
8KB
-
Filesize
600KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
328KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
600KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
600KB
-
Filesize
4KB
-
Filesize
8KB