Overview

overview

10

Static

static

e37057525d...46.exe

windows7-x64

10

e37057525d...46.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    148s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2022 01:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e37057525d97ca0b2387be41eced03a6c61dfd05d3dcc1a4d774c5692d9f3246.exe

  • Size

    944KB

  • MD5

    64468dbe23a7123cde72439dec449905

  • SHA1

    c3a80ef2c3472a45d8e810adf29f97a0bbe02ccb

  • SHA256

    e37057525d97ca0b2387be41eced03a6c61dfd05d3dcc1a4d774c5692d9f3246

  • SHA512

    656f9f6f772a6389d77f403ff48f96a3969db9da7afc99b1310e3bba23c309477c2803b593c5580ac27dbe848757bf67f7d09d67abe2cf1c1607e0beefad915e

  • SSDEEP

    12288:zYn23qEKOen23qEK9IWqBcVslsfHL6sVRVo7YNQ61F85ZwKd89BcF7AiDHgn4H6j:zYlhsU7vWwQOyEvOPDgsaknv4

Score
10/10
gozi_rm3bankertrojan

Malware Config

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e37057525d97ca0b2387be41eced03a6c61dfd05d3dcc1a4d774c5692d9f3246.exe
    "C:\Users\Admin\AppData\Local\Temp\e37057525d97ca0b2387be41eced03a6c61dfd05d3dcc1a4d774c5692d9f3246.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://b2forum.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1756
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://rumpehack.blogspot.com/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1368 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:636
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
      PID:1812
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x57c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:268

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      d15aaa7c9be910a9898260767e2490e1

      SHA1

      2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

      SHA256

      f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

      SHA512

      7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      463becd020c7c7198c34ce4c6a935809

      SHA1

      0dd7877d7f5ebc269e4ea7398ce1b855b5f8233e

      SHA256

      88f0da7ab019a6f0288223ab86b344912036786dbc77d42240365f6556022207

      SHA512

      66b849bbbb542d6bb9ca86a107e6fbccb3e2fb2b4159c8be7badb08aacffde6a0f0203d317c911b5e791a703f649f5d0286ac9cd838566a6873b8de2aefe3910

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FBA34B81-4911-11ED-A34F-EA25B6F29539}.dat
      Filesize

      5KB

      MD5

      ae6386728aaa28f0d85c1a546e164bdf

      SHA1

      df85ff005bc75105e138a29631210c2641e6eee1

      SHA256

      050e22f86092a50e54f93f110df593c6da5516a9459999159a26ed1363f40259

      SHA512

      c7a836871ae4ef5f9c25a581383ed7f907a3597af5312513c29716ed3c0bf020213cd729178760cf970f8cfc3cbe67b1182ea7ee4daef4efb5cfe5d7acd8dabb

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FBA37291-4911-11ED-A34F-EA25B6F29539}.dat
      Filesize

      3KB

      MD5

      5827ebe126629e4348bb4fa3ecef1760

      SHA1

      4f8685ed0c7ae1bcd4c15824734502f95c21b52b

      SHA256

      832554943d637301d3dd35613c19521ff938a977f39b97f3510e2d24101e53b8

      SHA512

      a7ef36245695deedce036bf377be1bd5e686b0355547595e0565494b3867e10b518422b3cc275505e8bc1d0fa5cdd296a3f818add9bfb2b0c780b81fbfdca24a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
      Filesize

      5KB

      MD5

      6da28c393188540b22198b5b2de815fd

      SHA1

      df5f65fe755e4148b1104ca65a362c0d0d533e94

      SHA256

      b6c79cd71a6b27734def1647a2422c3eea149b420ba392e75d294352be72c42a

      SHA512

      02b56c044f543e97752b29e0a58ced78e7d62dfdc8e9a2875e556b6dedee2ddbcd5da9bb2a7ac477f84f59fc5a9cd7d2c14d28862bb5acce42358ff0bfb70ea2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\S0HRQUSH.txt
      Filesize

      608B

      MD5

      8917a497036fbbcb9eb1e6950b78c339

      SHA1

      fb6342fcf6b48395338ca8bf6b69252ec02c4fb5

      SHA256

      7729f82195ece8b8ff07550b6f9239dd4bef3d17adfe3e1541c603de671e529e

      SHA512

      504988a72dac3835909a9207eb75c6045c4fd214fd6c7ed84feb4790b3b88514b3c62e86ca48f40c602780255690edd3dc1dd86ab70272a007960633b790d8b1

      Download Submit
    • memory/1980-56-0x0000000075521000-0x0000000075523000-memory.dmp
      Filesize

      8KB

      Download