Analysis

  • max time kernel
    106s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2022 18:12

General

  • Target

    95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

  • Size

    330KB

  • MD5

    6a4b1cfb80bdb519dcd780cf3394de20

  • SHA1

    e14344457221584f5ae03f041eeddcec1c941597

  • SHA256

    95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80

  • SHA512

    46acb4dc1311a7e0f016f44b3c8cf1d140b65bd5de57c2566d85f0289a91e10fba9df9493c8a8ad3c838d6b4ff85c1343dcd80b24f52876f3eb2703f3a6d417f

  • SSDEEP

    6144:wikrw8J6L91p9xzyohKhRcIERqcKvl9W695OHIue/Ytijm/:M8iE93jkIIEwc6l9W62Hht

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

siasecuritychecks.com

195.20.141.92

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe
    "C:\Users\Admin\AppData\Local\Temp\95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      2⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:936
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\C4C4.bat" "C:\Users\Admin\AppData\Local\Temp\95B107~1.EXE""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\95B107~1.EXE"
        3⤵
        • Views/modifies file attributes
        PID:1448
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x564
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:528

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Hidden Files and Directories

1
T1158

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

1
T1158

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\C4C4.bat
    Filesize

    72B

    MD5

    13eb692980fe6d822eb6208a65f604cb

    SHA1

    dcc4b37e47bd10258c5d595a8a4fe52ade75186b

    SHA256

    4f69991c52bfd35f0a8d7430293a095b7bfcb467a8205b5001a44f16bfc85b32

    SHA512

    764509732549899b78b409c07059298f3c249bdd8b0beda32f5077b5d21c7c2c09ccb3097fa14bf65369bd5d48dc0f53ac5e38d7793c4b672cbe26307b92c9f8

  • memory/936-56-0x0000000000000000-mapping.dmp
  • memory/936-58-0x000007FEFB151000-0x000007FEFB153000-memory.dmp
    Filesize

    8KB

  • memory/936-63-0x0000000001B40000-0x0000000001BA2000-memory.dmp
    Filesize

    392KB

  • memory/1340-59-0x0000000000000000-mapping.dmp
  • memory/1448-62-0x0000000000000000-mapping.dmp
  • memory/1460-54-0x0000000000230000-0x000000000025F000-memory.dmp
    Filesize

    188KB

  • memory/1460-55-0x0000000075981000-0x0000000075983000-memory.dmp
    Filesize

    8KB

  • memory/1460-57-0x0000000000400000-0x0000000000457000-memory.dmp
    Filesize

    348KB

  • memory/1460-60-0x0000000000400000-0x0000000000457000-memory.dmp
    Filesize

    348KB