Analysis

  • max time kernel
    126s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 00:32

General

  • Target

    2be8ea9bd232beaacec8ada47ef8a03adabffe69fead73517debc93a072f3b85.exe

  • Size

    388KB

  • MD5

    26cd3a038676f8e9cebf84a85dbe3668

  • SHA1

    feda5aa1052e306db3a6a73904ea6046b228abe8

  • SHA256

    2be8ea9bd232beaacec8ada47ef8a03adabffe69fead73517debc93a072f3b85

  • SHA512

    26b9b4e8f16e82aaea428d77afe92c0ab75cff6fb0bd848433b95e04b51f0da0799c0f48d1a4234ce15ccfa23b229860dda84f5155012bcf3955d0794cfb90ff

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2be8ea9bd232beaacec8ada47ef8a03adabffe69fead73517debc93a072f3b85.exe
    "C:\Users\Admin\AppData\Local\Temp\2be8ea9bd232beaacec8ada47ef8a03adabffe69fead73517debc93a072f3b85.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C9DC\10.bat" "C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\2BE8EA~1.EXE""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C ""C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\2BE8EA~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe
          "C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe" "C:\Users\Admin\AppData\Local\Temp\2BE8EA~1.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4456
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3508
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 568
              5⤵
              • Program crash
              PID:4880
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4456 -ip 4456
      1⤵
        PID:2608

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\C9DC\10.bat
        Filesize

        112B

        MD5

        c8f86dcea7e1390889ce38d2b5abfc0f

        SHA1

        8771efd57cbf820ee2c8763bab31c868bed32142

        SHA256

        5b185c091e3690815b579a67682c08342eeaad3b8e29daa9b3ee91bff44a7f22

        SHA512

        22f4229f6d4d3721be9f3f085817a565c66ef59b231ab495cb73d6b63d511a0f8e34dac0002d1d60b6ae3c0e7c4098e1feb5c0d89560e91cf28a933ac7d73093

      • C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe
        Filesize

        388KB

        MD5

        26cd3a038676f8e9cebf84a85dbe3668

        SHA1

        feda5aa1052e306db3a6a73904ea6046b228abe8

        SHA256

        2be8ea9bd232beaacec8ada47ef8a03adabffe69fead73517debc93a072f3b85

        SHA512

        26b9b4e8f16e82aaea428d77afe92c0ab75cff6fb0bd848433b95e04b51f0da0799c0f48d1a4234ce15ccfa23b229860dda84f5155012bcf3955d0794cfb90ff

      • C:\Users\Admin\AppData\Roaming\Bingutil\AcGeecfc.exe
        Filesize

        388KB

        MD5

        26cd3a038676f8e9cebf84a85dbe3668

        SHA1

        feda5aa1052e306db3a6a73904ea6046b228abe8

        SHA256

        2be8ea9bd232beaacec8ada47ef8a03adabffe69fead73517debc93a072f3b85

        SHA512

        26b9b4e8f16e82aaea428d77afe92c0ab75cff6fb0bd848433b95e04b51f0da0799c0f48d1a4234ce15ccfa23b229860dda84f5155012bcf3955d0794cfb90ff

      • memory/1508-133-0x0000000000000000-mapping.dmp
      • memory/2760-135-0x0000000000000000-mapping.dmp
      • memory/4456-136-0x0000000000000000-mapping.dmp
      • memory/4456-139-0x0000000000400000-0x0000000000463000-memory.dmp
        Filesize

        396KB

      • memory/4456-141-0x0000000002070000-0x00000000020A0000-memory.dmp
        Filesize

        192KB

      • memory/4692-130-0x0000000000400000-0x0000000000463000-memory.dmp
        Filesize

        396KB

      • memory/4692-132-0x0000000000610000-0x0000000000640000-memory.dmp
        Filesize

        192KB