Analysis

  • max time kernel
    112s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2022 18:05

General

  • Target

    4e4b34bdcbdb30a84551eab03fcf1233a592d4c7090b32fb4a9199b02dd72406.exe

  • Size

    351KB

  • MD5

    640a6ec2eb0dd677c61aa38cd2b447e8

  • SHA1

    cad702cddcf7a4b88b53708a97c12b6a5f13ac72

  • SHA256

    4e4b34bdcbdb30a84551eab03fcf1233a592d4c7090b32fb4a9199b02dd72406

  • SHA512

    4e73a875877def4b1feadcbdef622b1a6cc214bdfa608edc6c354bdf038a8e85ffe5eb9c2d5d2d900acd33d6c31fe1d27b6d1846287c2829500ee93c51cbab36

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e4b34bdcbdb30a84551eab03fcf1233a592d4c7090b32fb4a9199b02dd72406.exe
    "C:\Users\Admin\AppData\Local\Temp\4e4b34bdcbdb30a84551eab03fcf1233a592d4c7090b32fb4a9199b02dd72406.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9494\13.bat" "C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\4E4B34~1.EXE""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C ""C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\4E4B34~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4580
        • C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
          "C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe" "C:\Users\Admin\AppData\Local\Temp\4E4B34~1.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4092
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:872
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 584
              5⤵
              • Program crash
              PID:4424
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4092 -ip 4092
      1⤵
        PID:2500

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\9494\13.bat
        Filesize

        112B

        MD5

        9a2ecba54459944255c9f43a33f71a84

        SHA1

        75ac1b1ca756cb9691b3725a789dc73910b5094a

        SHA256

        1cd3ccd4da831c384096a047eb7e282228aa1e428d7000605ca26ff012f3eab8

        SHA512

        3de91a3578549a03c16c69e11965031960d37280d7e7586324fb15dcfec499c9efc7e8a423931145c1776904aa9e0ab0a0b89508add685b889842685b96d94ee

      • C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
        Filesize

        351KB

        MD5

        640a6ec2eb0dd677c61aa38cd2b447e8

        SHA1

        cad702cddcf7a4b88b53708a97c12b6a5f13ac72

        SHA256

        4e4b34bdcbdb30a84551eab03fcf1233a592d4c7090b32fb4a9199b02dd72406

        SHA512

        4e73a875877def4b1feadcbdef622b1a6cc214bdfa608edc6c354bdf038a8e85ffe5eb9c2d5d2d900acd33d6c31fe1d27b6d1846287c2829500ee93c51cbab36

      • C:\Users\Admin\AppData\Roaming\Addrdlet\Actipi32.exe
        Filesize

        351KB

        MD5

        640a6ec2eb0dd677c61aa38cd2b447e8

        SHA1

        cad702cddcf7a4b88b53708a97c12b6a5f13ac72

        SHA256

        4e4b34bdcbdb30a84551eab03fcf1233a592d4c7090b32fb4a9199b02dd72406

        SHA512

        4e73a875877def4b1feadcbdef622b1a6cc214bdfa608edc6c354bdf038a8e85ffe5eb9c2d5d2d900acd33d6c31fe1d27b6d1846287c2829500ee93c51cbab36

      • memory/4092-136-0x0000000000000000-mapping.dmp
      • memory/4092-139-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/4092-141-0x0000000000570000-0x00000000005A0000-memory.dmp
        Filesize

        192KB

      • memory/4284-130-0x0000000000400000-0x000000000045A000-memory.dmp
        Filesize

        360KB

      • memory/4284-132-0x00000000006E0000-0x0000000000710000-memory.dmp
        Filesize

        192KB

      • memory/4580-135-0x0000000000000000-mapping.dmp
      • memory/4584-133-0x0000000000000000-mapping.dmp