gozi_ifsb | b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692

General

Target

b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe
Size

569KB
MD5

b903665c8fbd50d6bf8cdd3fb2925146
SHA1

6236fccb03ebe21b5b8d72443d4edf71384c045c
SHA256

b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692
SHA512

ad0a270a857b2165513bb0f2a0ee32c6d343149d1faaca0b735733d177af1c11cbe5ead694bf7e9a106017fb56023b779dfad4f6ceccc5b91fd3e9b890c187c5
SSDEEP

12288:paIJZRxQe8CBNKJ/3ISJFiT32e6MJE+8MOUBXiPb:0ID8aB0F4Sjm2e5+jWiPb

Score

10^/10

gozi_ifsb banker persistence trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Executes dropped EXE 1 IoCs

Processes:

Compound.exe

pid process

224 Compound.exe

pid	process
224	Compound.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DdcCutil = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Browscli\\Compound.exe"	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.execmd.execmd.exe

description	pid	process	target process
PID 3188 wrote to memory of 396	3188	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe	cmd.exe
PID 3188 wrote to memory of 396	3188	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe	cmd.exe
PID 3188 wrote to memory of 396	3188	b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe	cmd.exe
PID 396 wrote to memory of 308	396	cmd.exe	cmd.exe
PID 396 wrote to memory of 308	396	cmd.exe	cmd.exe
PID 396 wrote to memory of 308	396	cmd.exe	cmd.exe
PID 308 wrote to memory of 224	308	cmd.exe	Compound.exe
PID 308 wrote to memory of 224	308	cmd.exe	Compound.exe
PID 308 wrote to memory of 224	308	cmd.exe	Compound.exe

C:\Users\Admin\AppData\Local\Temp\b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe
"C:\Users\Admin\AppData\Local\Temp\b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAC6\EDCB.bat" "C:\Users\Admin\AppData\Roaming\MICROS~1\Browscli\Compound.exe" "C:\Users\Admin\AppData\Local\Temp\B75FF7~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\MICROS~1\Browscli\Compound.exe" "C:\Users\Admin\AppData\Local\Temp\B75FF7~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Roaming\MICROS~1\Browscli\Compound.exe
"C:\Users\Admin\AppData\Roaming\MICROS~1\Browscli\Compound.exe" "C:\Users\Admin\AppData\Local\Temp\B75FF7~1.EXE"
4⤵
- Executes dropped EXE
PID:224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CAC6\EDCB.bat
Filesize
112B

MD5
5d857498ef93ee500406648d267ccb6a

SHA1
fa7aa31302885df0f7e181f7335e9f8c29e4ce99

SHA256
15501c4347f34d86665889feadce8906119e33ba9e1abd6d9b62f037b4141618

SHA512
b2cec1eac515e3fcfc17552d20252261211d437ea2e6185ee45d9cc07f34657bbba63d1302c51bc773fb5344178bc393b6f4de3af57a7e86c834ccc91ee08843

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Browscli\Compound.exe
Filesize
569KB

MD5
b903665c8fbd50d6bf8cdd3fb2925146

SHA1
6236fccb03ebe21b5b8d72443d4edf71384c045c

SHA256
b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692

SHA512
ad0a270a857b2165513bb0f2a0ee32c6d343149d1faaca0b735733d177af1c11cbe5ead694bf7e9a106017fb56023b779dfad4f6ceccc5b91fd3e9b890c187c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Browscli\Compound.exe
Filesize
569KB

MD5
b903665c8fbd50d6bf8cdd3fb2925146

SHA1
6236fccb03ebe21b5b8d72443d4edf71384c045c

SHA256
b75ff77aca9a25acf4c0ad94853385d2a3ec188d4a6066eb5b3c7dcc52c0a692

SHA512
ad0a270a857b2165513bb0f2a0ee32c6d343149d1faaca0b735733d177af1c11cbe5ead694bf7e9a106017fb56023b779dfad4f6ceccc5b91fd3e9b890c187c5

Download Submit
memory/224-140-0x0000000000000000-mapping.dmp

Download
memory/308-139-0x0000000000000000-mapping.dmp

Download
memory/396-136-0x0000000000000000-mapping.dmp

Download
memory/3188-132-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3188-135-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3188-137-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads