Overview

overview

10

Static

static

8c340810b2...a1.exe

windows7-x64

10

8c340810b2...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2022 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c340810b289bb9addfc9edb7c6dcd47d9f990135bac7b43406a985383b71da1.exe

  • Size

    237KB

  • MD5

    7828f04aee05ad7e4347a68c431b1fb1

  • SHA1

    1ef468bd21702883264cf01fc7412ba681713ccc

  • SHA256

    8c340810b289bb9addfc9edb7c6dcd47d9f990135bac7b43406a985383b71da1

  • SHA512

    953d1d7cab60bf73b840a4c5c7b0f24ffc8f7a3cca62595ba933a9a4a590f7549a62fc839ebfdab2d152804b3f1eb876c47553e05451d71f5ac1d7bb9cdbef4c

  • SSDEEP

    6144:1QmqVJbaflmsnFJlJfn5WsR4t5n3jJ9ZMjvA5wG:1GnKF1f5W24t5t9Z2vA

Score
10/10
gozi_ifsb3bankerpersistencetrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3

C2

rootapi.su

root-api.su

rootapigoogle.su

rootapi-google.su

root-apigoogle.su

rootgoogle.su

root-google.su

rootgoogleapi.su

rootgoogle-api.su

root-googleapi.su

91.226.212.148
Attributes
  • exe_type

    worker

rsa_pubkey.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c340810b289bb9addfc9edb7c6dcd47d9f990135bac7b43406a985383b71da1.exe
    "C:\Users\Admin\AppData\Local\Temp\8c340810b289bb9addfc9edb7c6dcd47d9f990135bac7b43406a985383b71da1.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:872
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 996
      2⤵
      • Program crash
      PID:1536
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2356 -ip 2356
    1⤵
      PID:1332
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3460
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3804

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/872-134-0x0000000000000000-mapping.dmp

      Download

    • memory/2356-132-0x0000000000CE0000-0x0000000000D0F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2356-133-0x0000000000CE0000-0x0000000000D0E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2356-135-0x0000000000CE0000-0x0000000000D0E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/3804-143-0x0000018D722D8000-0x0000018D722E0000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3804-146-0x0000018D74EC0000-0x0000018D74EE0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3804-150-0x0000018D75090000-0x0000018D75190000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3804-152-0x0000018D747C0000-0x0000018D747E0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3804-158-0x0000018D727C0000-0x0000018D727E0000-memory.dmp

      Filesize

      128KB

      Download