Overview

overview

10

Static

static

59cb5e6e31...e4.exe

windows7-x64

10

59cb5e6e31...e4.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2022 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe

  • Size

    2.9MB

  • MD5

    2686a3ff73287ad1f874a0a4c2470af5

  • SHA1

    73542f96a0cc31e4cf5c7ae94366587a572a2ac3

  • SHA256

    59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4

  • SHA512

    c69ec47c273724c78839a4ace51e1b0ab1ddfd40eefece23a684328cecc3b9467c6f84b1aee864c326622f8937c81f87e05aed3df113eb070b77e201d3ef93f3

Score
10/10
gozi_rm3bankertrojan

Malware Config

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
    "C:\Users\Admin\AppData\Local\Temp\59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe"
    1⤵
      PID:892
    • C:\Users\Admin\AppData\Local\Temp\59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe
      "C:\Users\Admin\AppData\Local\Temp\59cb5e6e313a1d8ed79c5cadb5c4bad5b3451178a509d2d9fc0d7f7dc6a638e4.exe" /SU
      1⤵
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" "http://go.web.de/os/win/ie_runonce"
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:612
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:612 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1936

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
      Filesize

      471B

      MD5

      3c0a2f4386177e910df9a2f5d623907f

      SHA1

      3853a6e7f1395fe0fbf07d315fe0e10aeebb50ab

      SHA256

      35d18a1c90ebc578afd6db020fecfe219ea5004252d634c7673c6d6d5776d93a

      SHA512

      be8ffa2d541afd895d1c6b72609a972adc9e8ad83f85b6f7667e9457446b98ae67d9fd2d2c37cfb92b6296edd6aa0995451d41dd90b251d7facc34a4cb871af4

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      340B

      MD5

      4a3c3027aa08384062e54171a017ea2f

      SHA1

      60af63617d5859416fe0de707250fb9661a528f8

      SHA256

      09fdbc021964a094a502ef251fd47548f4282e337ef01d536790756808e47c31

      SHA512

      4cf2925c2d3344a6791b41fef7536d27fe469ccd2d2d383c767407cb3acb0b4656d6df57240e8c65e640fc3ff322f751f65f19a0d11f10dbd0db2c72a5e0beac

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      340B

      MD5

      2e83fda2ebabec3ee2c39eff0e889a64

      SHA1

      c696f6072aeeac8a6976666b219a95bdcc798b9b

      SHA256

      020d397e1d9d8652f43aadfd421c7e3a1e3c373ea80ea38bbbd939d5242b0b9b

      SHA512

      259e34e23805db34126427f837ded3d7ac593eba88ddca38a4988b9c4967b9ae3e51a07727d98f557ce983e40d58b2dd23386de320540e6dab1a8bf132d73713

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C
      Filesize

      408B

      MD5

      f84f58a51fdb2e9722ae80e4dd95e213

      SHA1

      99207845bb78cef934ab9db3a0f5a0d87c268258

      SHA256

      df7caffcfd51260565b58ca2410df0c3c7d7d8fed84917a1ff1e59956ac8d6c9

      SHA512

      01dc9ff172147121a7ec783e9c0fa42b60ff698eb6cd721e9bd5ea807d7efe1245c6203476e8abad0b35f7a5c40d9b81b501acc8541ccbcb7f2279d23936bbfd

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lvx0ibj\imagestore.dat
      Filesize

      22KB

      MD5

      bccd8a16cc0fc59da41d0eeaa63f332c

      SHA1

      168055875edcf7b2a3f6e339f4feb174d9d2231d

      SHA256

      cf6f19f29ee5afc76501b2229b393abd6b884c53d0602c51521c0bcda5a3d13d

      SHA512

      351b4d96e209cb5f81669ee98718bc6f8c203d4ab7773d226f5e00084c4b0e4fc37c8934f200bc47efa0c979ec978a6f87a4e4a0a11e8588a8c01abe9ebaad92

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8IO140UC.txt
      Filesize

      601B

      MD5

      4bfb7720b82d35adc5e15770cad20286

      SHA1

      71bf62d199d4c35a7c83438011cc244c57164203

      SHA256

      db5e2cd14e206a084d34b9f6208a9012fd2678dfded4bafa8c4d3ff60c245c34

      SHA512

      2da3346375d211e2ef7b299ef3c61f21df64ee16d7780372b6c92dffa9d76884a5bda3fc9bc4c0d9117ac57bdd963d50d76c12b24c4fa0a3a9f47dfe44e0939b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L23LKMHA.txt
      Filesize

      113B

      MD5

      20ba8ca1782495bfc7f990d421ff30e0

      SHA1

      4462c26e55a1a274af239d2282ac7f7333bea57a

      SHA256

      625080cdb21d37db4ab2480c24f7dbf221ec0ac55d8f4c0d7480aa9ef5dccb4d

      SHA512

      75ac4c8c343cf9a1015fa5ae8b487ee38e45d09223f99a0ef0ec83572e87fd1ba1d49121fc473c27441a60f5983f88e4b9284d0a251890d3756b4818060822d9

      Download Submit
    • memory/892-54-0x00000000754C1000-0x00000000754C3000-memory.dmp
      Filesize

      8KB

      Download