Analysis

  • max time kernel
    133s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-06-2022 13:59

General

  • Target

    1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe

  • Size

    388KB

  • MD5

    3bfea3a7fa0dd19639673f4c32110fa8

  • SHA1

    2a4ec7c4dac2618059c30071ac6b07d41a3bbc2b

  • SHA256

    1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402

  • SHA512

    05c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe
    "C:\Users\Admin\AppData\Local\Temp\1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4752
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2484\9242.bat" "C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1FFF95~1.EXE""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C ""C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1FFF95~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4308
        • C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
          "C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe" "C:\Users\Admin\AppData\Local\Temp\1FFF95~1.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1892
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4172
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 560
              5⤵
              • Program crash
              PID:3204
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1892 -ip 1892
      1⤵
        PID:1968

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2484\9242.bat
        Filesize

        112B

        MD5

        88fcbb4d534966f8ae75e42f6c1085de

        SHA1

        e30f1aa697980b316a3b745d89b1700e258b2a54

        SHA256

        21eaa62731b78f6b196b48fe1b67e723ac8581468cb7f0e3db8fac79aaf4bd48

        SHA512

        df15ec9621b2563828e685915a2601c960a25373c1cd8e3e175f8e2f9f66acaa33b0802de22f387f5cfac6d9ed2448b3883d03e6cc5a83e65ade6600a279c7f0

      • C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
        Filesize

        388KB

        MD5

        3bfea3a7fa0dd19639673f4c32110fa8

        SHA1

        2a4ec7c4dac2618059c30071ac6b07d41a3bbc2b

        SHA256

        1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402

        SHA512

        05c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81

      • C:\Users\Admin\AppData\Roaming\AppMtngc\Audirvps.exe
        Filesize

        388KB

        MD5

        3bfea3a7fa0dd19639673f4c32110fa8

        SHA1

        2a4ec7c4dac2618059c30071ac6b07d41a3bbc2b

        SHA256

        1fff952471f5670932a1445340514a6e07869b5320fd17b3c635c00fabe1e402

        SHA512

        05c991717a320dbdb8268957111748599a848ee6d3ce3d2b02a99dd361d1d891c26cf1f881b0aa781b6ea3167ebe06e7fc1e3bc471be960ff6a13b15ecb74d81

      • memory/1892-137-0x0000000000000000-mapping.dmp
      • memory/1892-140-0x0000000000400000-0x0000000000463000-memory.dmp
        Filesize

        396KB

      • memory/1892-142-0x0000000000580000-0x00000000005B0000-memory.dmp
        Filesize

        192KB

      • memory/4224-133-0x0000000000000000-mapping.dmp
      • memory/4308-136-0x0000000000000000-mapping.dmp
      • memory/4752-131-0x00000000021C0000-0x00000000021F0000-memory.dmp
        Filesize

        192KB

      • memory/4752-130-0x0000000000400000-0x0000000000463000-memory.dmp
        Filesize

        396KB

      • memory/4752-134-0x00000000021C0000-0x00000000021F0000-memory.dmp
        Filesize

        192KB