gozi_ifsb | 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80

General

Target

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe
Size

330KB
MD5

6a4b1cfb80bdb519dcd780cf3394de20
SHA1

e14344457221584f5ae03f041eeddcec1c941597
SHA256

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80
SHA512

46acb4dc1311a7e0f016f44b3c8cf1d140b65bd5de57c2566d85f0289a91e10fba9df9493c8a8ad3c838d6b4ff85c1343dcd80b24f52876f3eb2703f3a6d417f
SSDEEP

6144:wikrw8J6L91p9xzyohKhRcIERqcKvl9W695OHIue/Ytijm/:M8iE93jkIIEwc6l9W62Hht

Score

10^/10

gozi_ifsb 1010 banker persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

siasecuritychecks.com

195.20.141.92

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1340 cmd.exe

pid	process
1340	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhcpprop = "C:\\Windows\\system32\\Audiwcfg.exe"	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

Drops file in System32 directory 2 IoCs

Processes:

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

description	ioc	process
File created	C:\Windows\system32\Audiwcfg.exe	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe
File opened for modification	C:\Windows\system32\Audiwcfg.exe	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

description	pid	process	target process
PID 1460 set thread context of 936	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

pid process

1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

936 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

pid process

1460 95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

pid	process
1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

pid	process
1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe
Token: 33	528	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	528	AUDIODG.EXE
Token: 33	528	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	528	AUDIODG.EXE
Token: SeShutdownPrivilege	936	explorer.exe
Token: SeShutdownPrivilege	936	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

explorer.exe

pid	process
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe
936	explorer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.execmd.exe

description	pid	process	target process
PID 1460 wrote to memory of 936	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	explorer.exe
PID 1460 wrote to memory of 936	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	explorer.exe
PID 1460 wrote to memory of 936	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	explorer.exe
PID 1460 wrote to memory of 936	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	explorer.exe
PID 1460 wrote to memory of 936	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	explorer.exe
PID 1460 wrote to memory of 936	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	explorer.exe
PID 1460 wrote to memory of 936	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	explorer.exe
PID 1460 wrote to memory of 1340	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	cmd.exe
PID 1460 wrote to memory of 1340	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	cmd.exe
PID 1460 wrote to memory of 1340	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	cmd.exe
PID 1460 wrote to memory of 1340	1460	95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe	cmd.exe
PID 1340 wrote to memory of 1448	1340	cmd.exe	attrib.exe
PID 1340 wrote to memory of 1448	1340	cmd.exe	attrib.exe
PID 1340 wrote to memory of 1448	1340	cmd.exe	attrib.exe
PID 1340 wrote to memory of 1448	1340	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1448 attrib.exe

pid	process
1448	attrib.exe

C:\Users\Admin\AppData\Local\Temp\95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe
"C:\Users\Admin\AppData\Local\Temp\95b107fed6499ed48dea071f07362a34289f5600c37a70b641e8d4676df78a80.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\C4C4.bat" "C:\Users\Admin\AppData\Local\Temp\95B107~1.EXE""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\95B107~1.EXE"
3⤵
- Views/modifies file attributes
PID:1448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:528

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C4C4.bat
Filesize
72B

MD5
13eb692980fe6d822eb6208a65f604cb

SHA1
dcc4b37e47bd10258c5d595a8a4fe52ade75186b

SHA256
4f69991c52bfd35f0a8d7430293a095b7bfcb467a8205b5001a44f16bfc85b32

SHA512
764509732549899b78b409c07059298f3c249bdd8b0beda32f5077b5d21c7c2c09ccb3097fa14bf65369bd5d48dc0f53ac5e38d7793c4b672cbe26307b92c9f8

Download Submit
memory/936-56-0x0000000000000000-mapping.dmp

Download
memory/936-58-0x000007FEFB151000-0x000007FEFB153000-memory.dmp

Filesize
8KB

Download
memory/936-63-0x0000000001B40000-0x0000000001BA2000-memory.dmp

Filesize
392KB

Download
memory/1340-59-0x0000000000000000-mapping.dmp

Download
memory/1448-62-0x0000000000000000-mapping.dmp

Download
memory/1460-54-0x0000000000230000-0x000000000025F000-memory.dmp

Filesize
188KB

Download
memory/1460-55-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1460-57-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1460-60-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads