gozi_ifsb | 4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34

Analysis

max time kernel
148s
max time network
102s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-07-2022 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe
Size

455KB
MD5

cac2eaa37b36f498f29843590fca272e
SHA1

8d2259cdfc35ac1fe8a0e6e723b2fdcc2dd1d805
SHA256

4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34
SHA512

7eab5424897adfd35929215baba831651c6784d8ce0ec02df38a7aeb091e354178f2d05c4586de845f486f44ee58359831cf3e94ae21a3995d8ec8e5eac71bfa

Score

10^/10

gozi_ifsb banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Attributes

build
214963

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Executes dropped EXE 1 IoCs

Processes:

bidiprov.exe

pid	Process
1144	bidiprov.exe

Deletes itself 1 IoCs

Processes:

bidiprov.exe

pid	Process
1144	bidiprov.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid	Process
2040	cmd.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\actian32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\COLOorui\\bidiprov.exe"	4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

bidiprov.exesvchost.exe

description	pid	Process	procid_target
PID 1144 set thread context of 1992	1144	bidiprov.exe	32
PID 1992 set thread context of 1232	1992	svchost.exe	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bidiprov.exeExplorer.EXE

pid	Process
1144	bidiprov.exe
1232	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

bidiprov.exesvchost.exe

pid	Process
1144	bidiprov.exe
1992	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.execmd.execmd.exebidiprov.exesvchost.exeExplorer.EXEcmd.exe

description	pid	Process	procid_target
PID 1712 wrote to memory of 1128	1712	4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe	28
PID 1712 wrote to memory of 1128	1712	4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe	28
PID 1712 wrote to memory of 1128	1712	4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe	28
PID 1712 wrote to memory of 1128	1712	4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe	28
PID 1128 wrote to memory of 2040	1128	cmd.exe	30
PID 1128 wrote to memory of 2040	1128	cmd.exe	30
PID 1128 wrote to memory of 2040	1128	cmd.exe	30
PID 1128 wrote to memory of 2040	1128	cmd.exe	30
PID 2040 wrote to memory of 1144	2040	cmd.exe	31
PID 2040 wrote to memory of 1144	2040	cmd.exe	31
PID 2040 wrote to memory of 1144	2040	cmd.exe	31
PID 2040 wrote to memory of 1144	2040	cmd.exe	31
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	32
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	32
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	32
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	32
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	32
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	32
PID 1144 wrote to memory of 1992	1144	bidiprov.exe	32
PID 1992 wrote to memory of 1232	1992	svchost.exe	14
PID 1992 wrote to memory of 1232	1992	svchost.exe	14
PID 1992 wrote to memory of 1232	1992	svchost.exe	14
PID 1232 wrote to memory of 1492	1232	Explorer.EXE	33
PID 1232 wrote to memory of 1492	1232	Explorer.EXE	33
PID 1232 wrote to memory of 1492	1232	Explorer.EXE	33
PID 1492 wrote to memory of 1508	1492	cmd.exe	35
PID 1492 wrote to memory of 1508	1492	cmd.exe	35
PID 1492 wrote to memory of 1508	1492	cmd.exe	35
PID 1232 wrote to memory of 1612	1232	Explorer.EXE	36
PID 1232 wrote to memory of 1612	1232	Explorer.EXE	36
PID 1232 wrote to memory of 1612	1232	Explorer.EXE	36

C:\Users\Admin\AppData\Local\Temp\4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe
"C:\Users\Admin\AppData\Local\Temp\4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\367C\10.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\4CDF2E~1.EXE""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\4CDF2E~1.EXE""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe
      "C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe" "C:\Users\Admin\AppData\Local\Temp\4CDF2E~1.EXE"
      4⤵
      Executes dropped EXE
      Deletes itself
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1992

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\F254.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\F254.bi1"
  2⤵
  PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\367C\10.bat

Filesize
108B

MD5
2bdd40e06b4f3c4f8efd6e43d92ca1ac

SHA1
f19c48865f36b37f0259cb785f867353e1ced8ec

SHA256
4441394fac10909ddf844111596b5e0427e82762841e52ff353678531dbaad48

SHA512
c0e36a441ac9c6f65a74ed8ec307559c3e7c7e3d75cfe866bcd04e389c6ba5996503cb221e0530173d0b6ea9947e6b8c4ab72a83e56ad9923e8bea23a8d05618

Download Submit
C:\Users\Admin\AppData\Local\Temp\F254.bi1

Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Local\Temp\F254.bi1

Filesize
118B

MD5
ace7e9f29953c4fbd6a930b50f792079

SHA1
97511e3438221ac9c30944fca7b91e87978c1248

SHA256
58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

SHA512
5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe

Filesize
455KB

MD5
cac2eaa37b36f498f29843590fca272e

SHA1
8d2259cdfc35ac1fe8a0e6e723b2fdcc2dd1d805

SHA256
4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34

SHA512
7eab5424897adfd35929215baba831651c6784d8ce0ec02df38a7aeb091e354178f2d05c4586de845f486f44ee58359831cf3e94ae21a3995d8ec8e5eac71bfa

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe

Filesize
455KB

MD5
cac2eaa37b36f498f29843590fca272e

SHA1
8d2259cdfc35ac1fe8a0e6e723b2fdcc2dd1d805

SHA256
4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34

SHA512
7eab5424897adfd35929215baba831651c6784d8ce0ec02df38a7aeb091e354178f2d05c4586de845f486f44ee58359831cf3e94ae21a3995d8ec8e5eac71bfa

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\COLOorui\bidiprov.exe

Filesize
455KB

MD5
cac2eaa37b36f498f29843590fca272e

SHA1
8d2259cdfc35ac1fe8a0e6e723b2fdcc2dd1d805

SHA256
4cdf2ef504ef70b2e6008a86997450d643d2a42acbb90876ce28858c172c4c34

SHA512
7eab5424897adfd35929215baba831651c6784d8ce0ec02df38a7aeb091e354178f2d05c4586de845f486f44ee58359831cf3e94ae21a3995d8ec8e5eac71bfa

Download Submit
memory/1128-57-0x0000000000000000-mapping.dmp

Download
memory/1144-62-0x0000000000000000-mapping.dmp

Download
memory/1144-66-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1144-67-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1232-70-0x0000000004120000-0x00000000041B2000-memory.dmp

Filesize
584KB

Download
memory/1232-71-0x0000000004120000-0x00000000041B2000-memory.dmp

Filesize
584KB

Download
memory/1492-72-0x0000000000000000-mapping.dmp

Download
memory/1508-73-0x0000000000000000-mapping.dmp

Download
memory/1612-74-0x0000000000000000-mapping.dmp

Download
memory/1712-55-0x00000000002B0000-0x000000000030D000-memory.dmp

Filesize
372KB

Download
memory/1712-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1712-56-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/1992-65-0x0000000000000000-mapping.dmp

Download
memory/1992-69-0x0000000000460000-0x00000000004F2000-memory.dmp

Filesize
584KB

Download
memory/1992-68-0x0000000000460000-0x00000000004F2000-memory.dmp

Filesize
584KB

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download