gozi_ifsb | 03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7.exe
Size

468KB
MD5

7119ac323831b4c5dbdce6633a55ffc0
SHA1

db6d0bd4a416864fc59a05bd31891e850227295a
SHA256

03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7
SHA512

69aa2d69963fc7b3fa57e1f067707280589abdf3eb778a6900288b4d56f9e517acc49bfb23e87ea43b5ca95abdfd0075ac38c046a5db82b7bc3dfecf1f9f5f87
SSDEEP

12288:HtNK/vI0S/xwaWKewTkpHWaWMUq1a1OXnZj8DKOihme:HtUvpS/xwaWrwTkpH2gEwh

Score

10^/10

gozi_ifsb banker bootkit persistence trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

112 cmd.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
112	cmd.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7.execmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 112	2044	03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7.exe	cmd.exe
PID 2044 wrote to memory of 112	2044	03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7.exe	cmd.exe
PID 2044 wrote to memory of 112	2044	03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7.exe	cmd.exe
PID 2044 wrote to memory of 112	2044	03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7.exe	cmd.exe
PID 112 wrote to memory of 1596	112	cmd.exe	attrib.exe
PID 112 wrote to memory of 1596	112	cmd.exe	attrib.exe
PID 112 wrote to memory of 1596	112	cmd.exe	attrib.exe
PID 112 wrote to memory of 1596	112	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1596 attrib.exe

pid	process
1596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7.exe
"C:\Users\Admin\AppData\Local\Temp\03c141047336c966a5bcdc9fbcaff9e5dcd3bdd56513e1faeae780c02dbfcba7.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\409A.bat" "C:\Users\Admin\AppData\Local\Temp\03C141~1.EXE""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\03C141~1.EXE"
    3⤵
    - Views/modifies file attributes
    PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\409A.bat

Filesize
72B

MD5
c5101cfc52f85e0e3acee536e39c8772

SHA1
cb19b5b76c828a79851bedf3fee61aece2ff4937

SHA256
0df1f5e7898352c1c9eb52255ccfe3de78ea17131c5a7213f1fc9cb8c6741be4

SHA512
da8f453310c6dce6a12646fd994c6cf393aea08e27bf70597858cc057725e71fcd7d9c68c9d134bac0ff3a2ad4145e02ae89fdc5d305d3b4e02f664c1744e4ef

Download Submit
memory/112-60-0x0000000000000000-mapping.dmp

Download
memory/1596-62-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/2044-55-0x00000000004E0000-0x00000000004E5000-memory.dmp

Filesize
20KB

Download
memory/2044-63-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download