Analysis

  • max time kernel
    30s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-05-2022 00:19

General

  • Target

    74f31c7df9a18f4cd83f98eeb247095ad465866f418f7a412617d0916e23a913.exe

  • Size

    909KB

  • MD5

    3f6aa40faf3ce8a8687498da71706b72

  • SHA1

    a56d3e58fc1df38ec102e005d33aa1567bba1f8e

  • SHA256

    74f31c7df9a18f4cd83f98eeb247095ad465866f418f7a412617d0916e23a913

  • SHA512

    21876bb1f8e6c0d195eda27bcc42358c4a537159f47d4362e7176899a38f2b991ba340e6012b9a4f533a9931744be36532afc2ae5236552c73f126bd8cab99a5

Malware Config

Extracted

Family

gozi_rm3

Attributes
  • build

    300854

Extracted

Family

gozi_rm3

Botnet

202004141

C2

https://devicelease.xyz

Attributes
  • build

    300854

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74f31c7df9a18f4cd83f98eeb247095ad465866f418f7a412617d0916e23a913.exe
    "C:\Users\Admin\AppData\Local\Temp\74f31c7df9a18f4cd83f98eeb247095ad465866f418f7a412617d0916e23a913.exe"
    1⤵
      PID:3280
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:4416
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3584
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3584 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3344
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3584 CREDAT:82950 /prefetch:2
          2⤵
            PID:5008
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
            PID:3604
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3604 CREDAT:17410 /prefetch:2
              2⤵
                PID:4852
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
              1⤵
                PID:972
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:17410 /prefetch:2
                  2⤵
                    PID:952
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                  1⤵
                    PID:4436
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4436 CREDAT:17410 /prefetch:2
                      2⤵
                        PID:3124
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                      1⤵
                        PID:4056
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4056 CREDAT:17410 /prefetch:2
                          2⤵
                            PID:1944

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/3280-130-0x0000000000640000-0x000000000064C000-memory.dmp

                          Filesize

                          48KB

                        • memory/3280-131-0x0000000000400000-0x00000000004E5000-memory.dmp

                          Filesize

                          916KB

                        • memory/3280-132-0x0000000000660000-0x0000000000671000-memory.dmp

                          Filesize

                          68KB