Analysis

  • max time kernel
    168s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    16-03-2022 16:30

General

  • Target

    bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820.exe

  • Size

    252KB

  • MD5

    067fbc7cbc5e7dcd5f63047727ec08e9

  • SHA1

    8bf52ba841861d82f56e483993cd8e5558168133

  • SHA256

    bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820

  • SHA512

    d28b10e3c037958cc24cca6dbc731c96148a8214c9d6bab3b279fd666cc2c8624c07a50aa87559f1e2d8f52c9de6c8bd588aab8fd98b352897d66dc70e7c1b59

Score
10/10

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300994

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820.exe
    "C:\Users\Admin\AppData\Local\Temp\bca43b8251b1c4ac499b1d0543a86aee4fd76da1e203f011f0f1e68a03844820.exe"
    1⤵
      PID:592
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4160
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3104
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:82950 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3192
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:82954 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1968
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:82958 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4836

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

        MD5

        54e9306f95f32e50ccd58af19753d929

        SHA1

        eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

        SHA256

        45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

        SHA512

        8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

        MD5

        d6fe2a0237d4c683ec6f37b14fd480bc

        SHA1

        382b9c8b492e71be21167dfdab9354c69d55b528

        SHA256

        a74c1064bd38f2a09aeb34f69c8cf54f71442e306997684f4e943fd08dbc131a

        SHA512

        70bfaad48ac87c792c43e0c24cf655e374663e282e50fd1cdd0f4a59d0984aad01287f97d6bc6b791234b79882049d09f4a61f2d5b96fc4f24e3a067afe23612

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\2psodd8\imagestore.dat

        MD5

        ab047b08b57a2ddd7ffa030c4774ce2a

        SHA1

        bc7416fb5d00876b4bd4e298db2cae210d4b31a6

        SHA256

        a4f6c5fda079c2c4751e651317bd8d10b65698a44a2c56762cc410727766b54e

        SHA512

        d3b5a5c91cb9018f599b0f9c37727c1e8ef84e259db2794afce428fae97ef12b7245f0b31e347ce6bfa7b501f6dc4431d889c7b14a4a382ac12f0d24f99a765f

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GGB3KH7Z\favicon[2].ico

        MD5

        a976d227e5d1dcf62f5f7e623211dd1b

        SHA1

        a2a9dc1abdd3d888484678663928cb024c359ee6

        SHA256

        66332859bd8e3441a019e073a318b62a47014ba244121301034b510dc7532271

        SHA512

        6754d545f2ce095cfa1fa7ca9e3223f89e37726ee7e541ebcf3e209e18b2602f3be8677598cb30d697327a63de032c11dbf8ef7ad7889a79c488a21044c1cb3f

      • memory/592-134-0x000000000070D000-0x0000000000718000-memory.dmp

        Filesize

        44KB

      • memory/592-135-0x000000000070D000-0x0000000000718000-memory.dmp

        Filesize

        44KB

      • memory/592-136-0x0000000000690000-0x000000000069C000-memory.dmp

        Filesize

        48KB

      • memory/592-137-0x0000000001000000-0x000000000106F000-memory.dmp

        Filesize

        444KB

      • memory/592-138-0x00000000006A0000-0x00000000006B0000-memory.dmp

        Filesize

        64KB