Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2022 00:29

General

  • Target

    5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe

  • Size

    361KB

  • MD5

    64139ece03d78520b9dae8d1313da69e

  • SHA1

    45e19e267688c8472ce882afe93becb043b718d1

  • SHA256

    5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80

  • SHA512

    2daa3467bb5bb3af17f94503946eab4f07e8a7e09906ed54d843aa80ae90ced32d574b08b7c1ee78c56d3a7a950799cafa9705d1c39df3e9888865a004db7b84

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe
    "C:\Users\Admin\AppData\Local\Temp\5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\22E\8117.bat" "C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\5B3F58~1.EXE""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4444
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C ""C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\5B3F58~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe
          "C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe" "C:\Users\Admin\AppData\Local\Temp\5B3F58~1.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4896
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1800
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 560
              5⤵
              • Program crash
              PID:2064
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4896 -ip 4896
      1⤵
        PID:4756

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\22E\8117.bat
        Filesize

        112B

        MD5

        ab67e168c79bbe6272bfa20c8b07718c

        SHA1

        29f2373db9c15ea2755bd387a900679447449ea2

        SHA256

        f385d773062f6036a0d3693b3054f33031f69390b58a51124369ba4a5fd4453c

        SHA512

        116a6c62e5d5acda63b9cacd0e10201e598b75130a587019137899f5b58907705252f19565e2f2ebe49f1e3a2232564b121e0d076a4a927850830c103182343b

      • C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe
        Filesize

        361KB

        MD5

        64139ece03d78520b9dae8d1313da69e

        SHA1

        45e19e267688c8472ce882afe93becb043b718d1

        SHA256

        5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80

        SHA512

        2daa3467bb5bb3af17f94503946eab4f07e8a7e09906ed54d843aa80ae90ced32d574b08b7c1ee78c56d3a7a950799cafa9705d1c39df3e9888865a004db7b84

      • C:\Users\Admin\AppData\Roaming\capahost\Bingutil.exe
        Filesize

        361KB

        MD5

        64139ece03d78520b9dae8d1313da69e

        SHA1

        45e19e267688c8472ce882afe93becb043b718d1

        SHA256

        5b3f58a5ad9ff0c0a11055d34a08ec2a046144c82f88f1e2735f794402705c80

        SHA512

        2daa3467bb5bb3af17f94503946eab4f07e8a7e09906ed54d843aa80ae90ced32d574b08b7c1ee78c56d3a7a950799cafa9705d1c39df3e9888865a004db7b84

      • memory/2412-137-0x0000000000000000-mapping.dmp
      • memory/4444-135-0x0000000000000000-mapping.dmp
      • memory/4896-138-0x0000000000000000-mapping.dmp
      • memory/4896-141-0x0000000000400000-0x000000000045D000-memory.dmp
        Filesize

        372KB

      • memory/4896-143-0x00000000005F0000-0x0000000000620000-memory.dmp
        Filesize

        192KB

      • memory/5048-132-0x0000000000400000-0x000000000045D000-memory.dmp
        Filesize

        372KB

      • memory/5048-134-0x0000000000630000-0x0000000000660000-memory.dmp
        Filesize

        192KB