Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-06-2022 03:46

General

  • Target

    1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe

  • Size

    388KB

  • MD5

    0bb4c690fe90c499275a1b268b5ff0eb

  • SHA1

    4308d202a1f308db17e6a5b1eda83aa18aa45ece

  • SHA256

    1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a

  • SHA512

    9b01f020cc2899eb10353072359d343e6b81df1fbea6f6f2d5b138c039a1d9b160da814aaf194fae9561c35550724b1623b086282846d31da9b8dfb89fe83074

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe
    "C:\Users\Admin\AppData\Local\Temp\1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E018\10.bat" "C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1D63B5~1.EXE""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C ""C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1D63B5~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
          "C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1D63B5~1.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4224
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4220
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 572
              5⤵
              • Program crash
              PID:4168
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4224 -ip 4224
      1⤵
        PID:2124

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\E018\10.bat
        Filesize

        112B

        MD5

        2e10604859d57e00c294694ab833784e

        SHA1

        2c32e6b046d2ca8a7831f46fa3711b87dff6aa3d

        SHA256

        cf6049aa850101e6f006a26f381a725172c4968ca2748acfd68636fe5847c634

        SHA512

        adfbd0df917d89b5e58e01e1434e63e9ab4b1a67454cad0bad7ea5e1154d30fd235af91bc3ccce3ef5df37714391cb9c041f7d4f524ab47d0b773e7d09d73703

      • C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
        Filesize

        388KB

        MD5

        0bb4c690fe90c499275a1b268b5ff0eb

        SHA1

        4308d202a1f308db17e6a5b1eda83aa18aa45ece

        SHA256

        1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a

        SHA512

        9b01f020cc2899eb10353072359d343e6b81df1fbea6f6f2d5b138c039a1d9b160da814aaf194fae9561c35550724b1623b086282846d31da9b8dfb89fe83074

      • C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
        Filesize

        388KB

        MD5

        0bb4c690fe90c499275a1b268b5ff0eb

        SHA1

        4308d202a1f308db17e6a5b1eda83aa18aa45ece

        SHA256

        1d63b5ce77d19d8522c2fec8776170851701ac3e983687dc61f94324307fa67a

        SHA512

        9b01f020cc2899eb10353072359d343e6b81df1fbea6f6f2d5b138c039a1d9b160da814aaf194fae9561c35550724b1623b086282846d31da9b8dfb89fe83074

      • memory/3744-133-0x0000000000000000-mapping.dmp
      • memory/4116-130-0x0000000000400000-0x0000000000463000-memory.dmp
        Filesize

        396KB

      • memory/4116-132-0x00000000021B0000-0x00000000021E0000-memory.dmp
        Filesize

        192KB

      • memory/4224-136-0x0000000000000000-mapping.dmp
      • memory/4224-139-0x0000000000400000-0x0000000000463000-memory.dmp
        Filesize

        396KB

      • memory/4224-141-0x00000000004F0000-0x0000000000520000-memory.dmp
        Filesize

        192KB

      • memory/4632-135-0x0000000000000000-mapping.dmp