Analysis

  • max time kernel
    21s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 22:02

General

  • Target

    f2f060d1bb8cd50cc05f801b1cad81c66df65545d43bd48380ebc241c547f329.exe

  • Size

    908KB

  • MD5

    6c4eab4ae5b34c820169db5af3bef3a8

  • SHA1

    1f18d4d26d78857028b5b558176ae9a692a82f8d

  • SHA256

    f2f060d1bb8cd50cc05f801b1cad81c66df65545d43bd48380ebc241c547f329

  • SHA512

    d0df62110d2e8aff108619cfd97d661e50cf90f78e75dcbbc6724d60b86a15ea9de6e44e5d13097b79521793b167912295a36c9649203a4677999f79e80ef0eb

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300854

  • exe_type

    loader

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2f060d1bb8cd50cc05f801b1cad81c66df65545d43bd48380ebc241c547f329.exe
    "C:\Users\Admin\AppData\Local\Temp\f2f060d1bb8cd50cc05f801b1cad81c66df65545d43bd48380ebc241c547f329.exe"
    1⤵
      PID:1116
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4248
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4260
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4260 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:5048
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4260 CREDAT:82950 /prefetch:2
          2⤵
            PID:2056
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
            PID:3868
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3868 CREDAT:17410 /prefetch:2
              2⤵
                PID:4024
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
              1⤵
                PID:1668
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:17410 /prefetch:2
                  2⤵
                    PID:4316
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                  1⤵
                    PID:2264
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:17410 /prefetch:2
                      2⤵
                        PID:1912
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                      1⤵
                        PID:1720
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:17410 /prefetch:2
                          2⤵
                            PID:2892

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Defense Evasion

                        Modify Registry

                        1
                        T1112

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/1116-130-0x00000000006A0000-0x00000000006B1000-memory.dmp
                          Filesize

                          68KB

                        • memory/1116-136-0x0000000000670000-0x000000000067C000-memory.dmp
                          Filesize

                          48KB

                        • memory/1116-137-0x0000000000400000-0x00000000004E5000-memory.dmp
                          Filesize

                          916KB