Analysis

  • max time kernel
    125s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    21/03/2022, 21:38

General

  • Target

    0x00080000000122ea-60.exe

  • Size

    7.7MB

  • MD5

    b61ae72b50a40197085687a8df2c4f32

  • SHA1

    ccc71c89853966f7001c6ea43287d9c396884bc6

  • SHA256

    a262c8414eafbd3587c395b4a6b08ba010efcb4681c1759396386de7d223a50b

  • SHA512

    83ce36d6bf70f2afc0bb07f403f797e2b3207501fe67a94ae69c5ae8f2530f8bd31fea6b8ad5c1f97fcff046818f2adfd1b16ed2ab89a601d15bb4162bc7c1ae

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Kills process with WMI 2 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe
    "C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C ping -n 2 127.0.0.1>%temp%\log2 && rd /s /q %appdata%\Sysfiles & rd /s /q %temp%
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\system32\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2248
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:228
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate
        3⤵
        • Kills process with WMI
        • Suspicious use of AdjustPrivilegeToken
        PID:3048
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete
        3⤵
          PID:2480
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & ping -n 10 127.0.0.1>%temp%\log1 && erase %temp% /s /f /q & rd /s /q %appdata%\Sysfiles
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3652
        • C:\Windows\system32\PING.EXE
          ping -n 10 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2060
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate
          3⤵
          • Kills process with WMI
          PID:4436

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/4300-142-0x00007FFB80000000-0x00007FFB80002000-memory.dmp

            Filesize

            8KB

          • memory/4300-148-0x00007FFB67820000-0x00007FFB682E1000-memory.dmp

            Filesize

            10.8MB

          • memory/4300-147-0x000000003F2C0000-0x000000003FFEA000-memory.dmp

            Filesize

            13.2MB

          • memory/4300-143-0x00007FFB80030000-0x00007FFB80031000-memory.dmp

            Filesize

            4KB

          • memory/4300-135-0x0000000180000000-0x0000000180046000-memory.dmp

            Filesize

            280KB

          • memory/4300-141-0x00007FFB87070000-0x00007FFB8712E000-memory.dmp

            Filesize

            760KB

          • memory/4300-140-0x00007FFB85560000-0x00007FFB85829000-memory.dmp

            Filesize

            2.8MB