Analysis

  • max time kernel
    146s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    14/06/2022, 23:45

General

  • Target

    2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe

  • Size

    752KB

  • MD5

    8bc39d61f41a5c6dfac7ad4dc9e158c6

  • SHA1

    1192620ceb20e80fcfdf93ef2b81e5e142d0a4cc

  • SHA256

    2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31

  • SHA512

    3b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1000

C2

vachiderk.com

siberponis.com

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1364
    • C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe
      "C:\Users\Admin\AppData\Local\Temp\2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\70C0\3860.bat" "C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C ""C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE""
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1108
          • C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe
            "C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe" "C:\Users\Admin\AppData\Local\Temp\2C21E7~1.EXE"
            5⤵
            • Executes dropped EXE
            • Deletes itself
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:608
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:752

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\70C0\3860.bat

          Filesize

          108B

          MD5

          9e2c93ce408a9a6956568f14a3d14a83

          SHA1

          daed9ba9422340fc4cc61b4af1f2985f9c80fc0e

          SHA256

          0e5cf374f9ec707505d2bf95e6319a4d774fa8dd016c1431243e482ce722217b

          SHA512

          e3e5ff77897017c2b1376030d5eaf2da0f7ac9e20ba8e7f0f8588cd805ea1039182302b5fbc62326f81ef5d35105e866dd56b8bf045f629431a71bf4571a4cce

        • C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe

          Filesize

          752KB

          MD5

          8bc39d61f41a5c6dfac7ad4dc9e158c6

          SHA1

          1192620ceb20e80fcfdf93ef2b81e5e142d0a4cc

          SHA256

          2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31

          SHA512

          3b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464

        • C:\Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe

          Filesize

          752KB

          MD5

          8bc39d61f41a5c6dfac7ad4dc9e158c6

          SHA1

          1192620ceb20e80fcfdf93ef2b81e5e142d0a4cc

          SHA256

          2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31

          SHA512

          3b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464

        • \Users\Admin\AppData\Roaming\bitsmuid\ACCTient.exe

          Filesize

          752KB

          MD5

          8bc39d61f41a5c6dfac7ad4dc9e158c6

          SHA1

          1192620ceb20e80fcfdf93ef2b81e5e142d0a4cc

          SHA256

          2c21e78c2ae52a2aedc97822579343b2f8e63455de97645d6dc52a50d3a2fe31

          SHA512

          3b4e3bad2c14be164abf0b0b9e263bda2c349bafce2d19c93156d226f43df384882285b7cb5162f19c5645da9a242ea99108110135ff7fc362c9d3c943d92464

        • memory/752-69-0x0000000000480000-0x00000000005B1000-memory.dmp

          Filesize

          1.2MB

        • memory/752-70-0x0000000000480000-0x00000000005B1000-memory.dmp

          Filesize

          1.2MB

        • memory/1000-57-0x00000000003E0000-0x0000000000400000-memory.dmp

          Filesize

          128KB

        • memory/1000-55-0x0000000000400000-0x00000000004BE000-memory.dmp

          Filesize

          760KB

        • memory/1000-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

          Filesize

          8KB

        • memory/1364-71-0x0000000004CA0000-0x0000000004DD1000-memory.dmp

          Filesize

          1.2MB