Analysis

  • max time kernel
    156s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    21/03/2022, 08:15

General

  • Target

    bc2bd3c448b2348629da59a454f409ad5b60f2eb21f175e7e49dd04b2703c0ea.exe

  • Size

    273KB

  • MD5

    cb48ba54cf73cba6499d7622b50b89da

  • SHA1

    9311c9855479396b7c9725c3eb9cedde7e1378ec

  • SHA256

    bc2bd3c448b2348629da59a454f409ad5b60f2eb21f175e7e49dd04b2703c0ea

  • SHA512

    3749df35f8a6221a4010c03f873dd5b3a00438ee91c8c5845d700409e510e5527f7551e34b23cc1fcef9679cdcece62195fd743476c4e25663057058dab74ba4

Malware Config

Extracted

Family

gozi_ifsb

Botnet

7622

C2

botanlink.top

linkspremium.ru

premiumlists.ru

Attributes
  • base_path

    /drew/

  • build

    250225

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

    suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc2bd3c448b2348629da59a454f409ad5b60f2eb21f175e7e49dd04b2703c0ea.exe
    "C:\Users\Admin\AppData\Local\Temp\bc2bd3c448b2348629da59a454f409ad5b60f2eb21f175e7e49dd04b2703c0ea.exe"
    1⤵
      PID:1948
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:2396
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3636
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        1⤵
        • Modifies data under HKEY_USERS
        PID:4116
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3704
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3704 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1912
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5088
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5088 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2628

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1948-130-0x00000000005D0000-0x00000000005DA000-memory.dmp

              Filesize

              40KB

            • memory/1948-131-0x00000000005E0000-0x00000000005EB000-memory.dmp

              Filesize

              44KB

            • memory/1948-132-0x0000000000400000-0x0000000000475000-memory.dmp

              Filesize

              468KB

            • memory/4116-133-0x0000026FB0940000-0x0000026FB0950000-memory.dmp

              Filesize

              64KB

            • memory/4116-134-0x0000026FB1360000-0x0000026FB1370000-memory.dmp

              Filesize

              64KB

            • memory/4116-135-0x0000026FB38C0000-0x0000026FB38C4000-memory.dmp

              Filesize

              16KB