Analysis

  • max time kernel
    57s
  • max time network
    55s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-06-2022 13:59

General

  • Target

    1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe

  • Size

    388KB

  • MD5

    3bfea3a7fa0dd19639673f4c32110fa8

  • SHA1

    2a4ec7c4dac2618059c30071ac6b07d41a3bbc2b

  • SHA256

    1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402

  • SHA512

    05c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe
      "C:\Users\Admin\AppData\Local\Temp\1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FA58\7D2C.bat" "C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\1FFF95~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C ""C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\1FFF95~1.EXE""
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1408
          • C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe
            "C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe" "C:\Users\Admin\AppData\Local\Temp\1FFF95~1.EXE"
            5⤵
            • Executes dropped EXE
            • Deletes itself
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1780
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1076

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FA58\7D2C.bat
    Filesize

    108B

    MD5

    75cb48560dca4c634fc389c44ca7de5b

    SHA1

    d5c51957004c0d408fcb2c5b9f0b3f6918961add

    SHA256

    674e608ea504991a169544487e32e7e60237f758a4869c2442185a0ad7dea3ef

    SHA512

    61ec995e298dae3061e08ac1fc4fe6f2e52c70435959d02133c379b7ae5d8a91b0c3a33c8ebb4971f9eeee34a9a6a1286c1aadfd5841b2fafd84c5168fa8c6fd

  • C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe
    Filesize

    388KB

    MD5

    3bfea3a7fa0dd19639673f4c32110fa8

    SHA1

    2a4ec7c4dac2618059c30071ac6b07d41a3bbc2b

    SHA256

    1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402

    SHA512

    05c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81

  • C:\Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe
    Filesize

    388KB

    MD5

    3bfea3a7fa0dd19639673f4c32110fa8

    SHA1

    2a4ec7c4dac2618059c30071ac6b07d41a3bbc2b

    SHA256

    1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402

    SHA512

    05c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81

  • \Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe
    Filesize

    388KB

    MD5

    3bfea3a7fa0dd19639673f4c32110fa8

    SHA1

    2a4ec7c4dac2618059c30071ac6b07d41a3bbc2b

    SHA256

    1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402

    SHA512

    05c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81

  • \Users\Admin\AppData\Roaming\cfgbmime\Authsvcs.exe
    Filesize

    388KB

    MD5

    3bfea3a7fa0dd19639673f4c32110fa8

    SHA1

    2a4ec7c4dac2618059c30071ac6b07d41a3bbc2b

    SHA256

    1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402

    SHA512

    05c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81

  • memory/336-57-0x0000000000220000-0x0000000000250000-memory.dmp
    Filesize

    192KB

  • memory/336-54-0x0000000075711000-0x0000000075713000-memory.dmp
    Filesize

    8KB

  • memory/336-55-0x0000000000400000-0x0000000000463000-memory.dmp
    Filesize

    396KB

  • memory/1076-69-0x0000000000000000-mapping.dmp
  • memory/1076-70-0x0000000000150000-0x00000000001C5000-memory.dmp
    Filesize

    468KB

  • memory/1076-71-0x0000000000150000-0x00000000001C5000-memory.dmp
    Filesize

    468KB

  • memory/1304-58-0x0000000000000000-mapping.dmp
  • memory/1312-72-0x0000000002B00000-0x0000000002B75000-memory.dmp
    Filesize

    468KB

  • memory/1312-73-0x0000000002B00000-0x0000000002B75000-memory.dmp
    Filesize

    468KB

  • memory/1408-60-0x0000000000000000-mapping.dmp
  • memory/1780-64-0x0000000000000000-mapping.dmp
  • memory/1780-67-0x0000000000400000-0x0000000000463000-memory.dmp
    Filesize

    396KB