Analysis

  • max time kernel
    4294217s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    16-03-2022 16:30

General

  • Target

    bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820.exe

  • Size

    252KB

  • MD5

    067fbc7cbc5e7dcd5f63047727ec08e9

  • SHA1

    8bf52ba841861d82f56e483993cd8e5558168133

  • SHA256

    bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820

  • SHA512

    d28b10e3c037958cc24cca6dbc731c96148a8214c9d6bab3b279fd666cc2c8624c07a50aa87559f1e2d8f52c9de6c8bd588aab8fd98b352897d66dc70e7c1b59

Score
10/10

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300994

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SetWindowsHookEx 44 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820.exe
    "C:\Users\Admin\AppData\Local\Temp\bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820.exe"
    1⤵
      PID:1824
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1376 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:112
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1376 CREDAT:1717252 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:276
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\system32\forfiles.exe
        forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBvAGQAZQBhAHIAYwBoAGkAdgBlACcAKQAuAFMA & exit" /p C:\Windows\system32 /s /m po*l.e*e
        2⤵
          PID:428

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

        MD5

        54e9306f95f32e50ccd58af19753d929

        SHA1

        eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

        SHA256

        45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

        SHA512

        8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

        MD5

        65a0eb052cf68845a784b0d2c1a97f96

        SHA1

        1902a40bc4fc63ecce5b1bcdf7634d8a325b6aea

        SHA256

        2fd7c28df0ed3c1897d4a7fff3068b40304b37daddf3031ffd6d863653d4c02d

        SHA512

        f78001c1ecb38b4f05aae055f7fa42560d208d8412d9c90efa8a234cd4629e7297e0c5fa8f312254ac9df350a43d1dc1c7e46f8a6d5e804548b0896321a34928

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        MD5

        8dbe65040c7318b8462f79e56017594e

        SHA1

        4b51033360ddfef8ca0941addd60c162f618387a

        SHA256

        c32824406974106533f3de5f86384302c582e83287571f36df0909457acbcbbe

        SHA512

        1bf2e8a9ea47fbe330a141c806bbc17078911a2a45c36c902179014fd59c4aaa88a0a45e290d716e5d06385d58f73ab72555c34822a44a6c10f936a34b093b21

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        MD5

        ed9990235f2898c87291691a776262d4

        SHA1

        6dba7cede1f993610fa6f05ab497f62f9e899c01

        SHA256

        54a4dc682d1aadf52ef00e3ed6f1f49ff01bbec79fa0320d919778c0b0329354

        SHA512

        997e63e0e099e0593c7b40ea140e76ac083add68813ae4745a2f558fdaaa3a5b0ddc42c0f509ea7b08579ed80af7dc5fa12bf5611f8b521116e1b57857de0484

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w8w9llr\imagestore.dat

        MD5

        a3f73d3a60f4be84c4e27d6994abe16b

        SHA1

        0baa602a468904327a6f2fdfddfa12259c5e3e7a

        SHA256

        f288c3789c35db67f27299a4583013f6e6b5af1528c7b5e1587a637890b3e242

        SHA512

        fdbde558da7d56f7bb7d4f899d77fca14d08a72a218b062a24d2e080cf744bf481fb90bc9cb1be00c0237f068878e60724f73978aef3b82a74e486ea85fb8f85

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w8w9llr\imagestore.dat

        MD5

        a3f73d3a60f4be84c4e27d6994abe16b

        SHA1

        0baa602a468904327a6f2fdfddfa12259c5e3e7a

        SHA256

        f288c3789c35db67f27299a4583013f6e6b5af1528c7b5e1587a637890b3e242

        SHA512

        fdbde558da7d56f7bb7d4f899d77fca14d08a72a218b062a24d2e080cf744bf481fb90bc9cb1be00c0237f068878e60724f73978aef3b82a74e486ea85fb8f85

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3OL83HNN\favicon[1].ico

        MD5

        a976d227e5d1dcf62f5f7e623211dd1b

        SHA1

        a2a9dc1abdd3d888484678663928cb024c359ee6

        SHA256

        66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271

        SHA512

        6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\W9L00R8P.txt

        MD5

        337da72421b1a9617fee0412671b29aa

        SHA1

        463cae18081382950c00a54b208a3859f441dc3e

        SHA256

        4dadc8fd0555db473bdd76315881591c8800125bff589a730119952d10e54fb3

        SHA512

        e30f12291f3899f5cbe9e0420079cfa8255f69a9c6cefa9087d0e4dd033cdfcecc08c3b0a0f2a48a0750a5d2cf9bb930a7f646c94e2988892675cc89407084c9

      • memory/1824-57-0x00000000759C1000-0x00000000759C3000-memory.dmp

        Filesize

        8KB

      • memory/1824-65-0x00000000001F0000-0x00000000001F2000-memory.dmp

        Filesize

        8KB

      • memory/1824-59-0x00000000001C0000-0x00000000001D0000-memory.dmp

        Filesize

        64KB

      • memory/1824-58-0x0000000001000000-0x000000000106F000-memory.dmp

        Filesize

        444KB

      • memory/1824-54-0x000000000030E000-0x0000000000319000-memory.dmp

        Filesize

        44KB

      • memory/1824-56-0x00000000001B0000-0x00000000001BC000-memory.dmp

        Filesize

        48KB

      • memory/1824-55-0x000000000030E000-0x0000000000319000-memory.dmp

        Filesize

        44KB