Analysis

  • max time kernel
    165s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    30-05-2022 23:38

General

  • Target

    0809a74e769d69d7c061cdaf71013b335a0220bec1f135a02927e0e7af32df9d.exe

  • Size

    391KB

  • MD5

    423b32ae38b2580f4538057260c6ea97

  • SHA1

    257d25308e21fc3049a231680b988554628a82a8

  • SHA256

    0809a74e769d69d7c061cdaf71013b335a0220bec1f135a02927e0e7af32df9d

  • SHA512

    2a1509fd1457863cfa68a19509ea6ee7fcda6ff0b3bd7155c24a67c99ab76cc66627f1451485e19b2c8a5c2c9624d0f9af3102bb522cef8a8bcaa0226527cf33

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0809a74e769d69d7c061cdaf71013b335a0220bec1f135a02927e0e7af32df9d.exe
    "C:\Users\Admin\AppData\Local\Temp\0809a74e769d69d7c061cdaf71013b335a0220bec1f135a02927e0e7af32df9d.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2B94\10.bat" "C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe" "C:\Users\Admin\AppData\Local\Temp\0809A7~1.EXE""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C ""C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe" "C:\Users\Admin\AppData\Local\Temp\0809A7~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4592
        • C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe
          "C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe" "C:\Users\Admin\AppData\Local\Temp\0809A7~1.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4104
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4528
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 568
              5⤵
              • Program crash
              PID:4836
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4104 -ip 4104
      1⤵
        PID:2096

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2B94\10.bat
        Filesize

        112B

        MD5

        5cff5899d878d3627f8755a5ab0d3f7c

        SHA1

        d4596bd3671c7e098fae22a9ffbf0e8d36f39429

        SHA256

        913a18b3b3ab6d8d38087c514051d71b205ce7f3d62a1225be80b911626b922f

        SHA512

        9b002584171d2c9a401716975a34986a317ef025b1e3eb1773b04e2ded6a869b206a9b4f2bf1620a9f950601c20a4fc0703853caa621055707cb7ebdb58e2498

      • C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe
        Filesize

        391KB

        MD5

        423b32ae38b2580f4538057260c6ea97

        SHA1

        257d25308e21fc3049a231680b988554628a82a8

        SHA256

        0809a74e769d69d7c061cdaf71013b335a0220bec1f135a02927e0e7af32df9d

        SHA512

        2a1509fd1457863cfa68a19509ea6ee7fcda6ff0b3bd7155c24a67c99ab76cc66627f1451485e19b2c8a5c2c9624d0f9af3102bb522cef8a8bcaa0226527cf33

      • C:\Users\Admin\AppData\Roaming\Azurives\apprispl.exe
        Filesize

        391KB

        MD5

        423b32ae38b2580f4538057260c6ea97

        SHA1

        257d25308e21fc3049a231680b988554628a82a8

        SHA256

        0809a74e769d69d7c061cdaf71013b335a0220bec1f135a02927e0e7af32df9d

        SHA512

        2a1509fd1457863cfa68a19509ea6ee7fcda6ff0b3bd7155c24a67c99ab76cc66627f1451485e19b2c8a5c2c9624d0f9af3102bb522cef8a8bcaa0226527cf33

      • memory/664-130-0x0000000000400000-0x0000000000465000-memory.dmp
        Filesize

        404KB

      • memory/664-132-0x0000000002080000-0x00000000020B0000-memory.dmp
        Filesize

        192KB

      • memory/4104-136-0x0000000000000000-mapping.dmp
      • memory/4104-139-0x0000000000400000-0x0000000000465000-memory.dmp
        Filesize

        404KB

      • memory/4104-141-0x0000000000470000-0x00000000004A0000-memory.dmp
        Filesize

        192KB

      • memory/4592-135-0x0000000000000000-mapping.dmp
      • memory/4620-133-0x0000000000000000-mapping.dmp