Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2022 20:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529.exe

  • Size

    494KB

  • MD5

    0f2be4fe0362766dcf339d4c03326bc4

  • SHA1

    69e26e9e75e8a8359d232d8e14318b9235e1a828

  • SHA256

    2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529

  • SHA512

    8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150

Score
10/10
gozi_ifsb11111bankerdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

11111

C2

trackingg-protectioon.cdn1.mozilla.net

194.76.225.168

194.76.224.242
Attributes
  • base_path

    /fonts/

  • build

    250240

  • exe_type

    loader

  • extension

    .bak

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529.exe
    "C:\Users\Admin\AppData\Local\Temp\2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C start C:\Users\%UserName%\Downloads\WinZip.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Users\Admin\Downloads\WinZip.exe
        C:\Users\Admin\Downloads\WinZip.exe
        3⤵
        • Executes dropped EXE
        PID:4416
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 7 & Del "2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\SysWOW64\choice.exe
        choice /C Y /N /D Y /T 7
        3⤵
          PID:1172

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Downloads\WinZip.exe
      Filesize

      339KB

      MD5

      4ee88393891abb32b1b56b5bc890d234

      SHA1

      20f1a0cbbb74fe3e9b3161e7a006528ecef9b6f5

      SHA256

      0bd3e6ebfe1c54467789ec4d574d994e8b5bd54b4bcfa5531a9bd1072b7824a9

      SHA512

      1c63299f1f89c529cca86070a0dd36b8a4b2ee3697bfb338758f8e61051ede0e4f993f6008a4a4c97278087992f78d4ec3aeca914a193932031e238750c622e9

      Download Submit
    • C:\Users\Admin\Downloads\WinZip.exe
      Filesize

      339KB

      MD5

      4ee88393891abb32b1b56b5bc890d234

      SHA1

      20f1a0cbbb74fe3e9b3161e7a006528ecef9b6f5

      SHA256

      0bd3e6ebfe1c54467789ec4d574d994e8b5bd54b4bcfa5531a9bd1072b7824a9

      SHA512

      1c63299f1f89c529cca86070a0dd36b8a4b2ee3697bfb338758f8e61051ede0e4f993f6008a4a4c97278087992f78d4ec3aeca914a193932031e238750c622e9

      Download Submit
    • memory/1172-155-0x0000000000000000-mapping.dmp
      Download
    • memory/1436-154-0x0000000000000000-mapping.dmp
      Download
    • memory/2824-150-0x000000000D450000-0x000000000D9F4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2824-149-0x000000000CE00000-0x000000000CE92000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2824-153-0x000000000E100000-0x000000000E62C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/2824-152-0x000000000DA00000-0x000000000DBC2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/2824-151-0x000000000CEE0000-0x000000000CEFE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2824-130-0x0000000000F40000-0x0000000000FC2000-memory.dmp
      Filesize

      520KB

      Download
    • memory/2824-148-0x000000000CCE0000-0x000000000CD56000-memory.dmp
      Filesize

      472KB

      Download
    • memory/2824-143-0x000000000C5C0000-0x000000000CBD8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/2824-144-0x000000000C040000-0x000000000C052000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2824-145-0x000000000C170000-0x000000000C27A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2824-146-0x000000000C0A0000-0x000000000C0DC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2824-147-0x000000000C4D0000-0x000000000C536000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4416-142-0x0000000000400000-0x0000000000463000-memory.dmp
      Filesize

      396KB

      Download
    • memory/4416-135-0x00000000005F8000-0x0000000000609000-memory.dmp
      Filesize

      68KB

      Download
    • memory/4416-141-0x00000000005F8000-0x0000000000609000-memory.dmp
      Filesize

      68KB

      Download
    • memory/4416-138-0x0000000000500000-0x000000000050D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/4416-137-0x0000000000400000-0x0000000000463000-memory.dmp
      Filesize

      396KB

      Download
    • memory/4416-136-0x00000000004E0000-0x00000000004EB000-memory.dmp
      Filesize

      44KB

      Download
    • memory/4416-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4728-131-0x0000000000000000-mapping.dmp
      Download