Analysis

  • max time kernel
    482s
  • max time network
    485s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2022 23:52

General

  • Target

    2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe

  • Size

    302KB

  • MD5

    fddf052c867459e52b86307ffdd2f0b8

  • SHA1

    471c4e337c3f37d19ed21b1b3ca47caf7f5287fb

  • SHA256

    2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7

  • SHA512

    903d2debcccf78191cec690995e6fa635445d8bb7216b7b88b73755dd74ad295706e81ca3803da7be52cf917bf291cea9915459025b89b32343e63fbd9408f07

  • SSDEEP

    6144:mMMYNXqBBtzd0e6OGxUf4lnWFJuDlw2bt6MY8E/0RMKYrsTL16Qj8iA:qntz28wlPlww6Mfk0R9R4Qj8P

Score
10/10

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe
    "C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:660
    • C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe
      "C:\Users\Admin\AppData\Local\Temp\2013911086eeba13ee90a57d81a27fabdab52e9896f0ec55e7b9aec0528c57b7.exe"
      2⤵
        PID:320

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\brothers.dll

      Filesize

      68KB

      MD5

      aa7a954d0ea7dbb90068bdd32d997f2a

      SHA1

      8a6ec0b72e5000900a71b5eb4bd81dda342a0dd9

      SHA256

      fda8e2088f7ca3f22d90e0ce3a9e2e466b7a30e96cfc166059156aabab3dea1b

      SHA512

      2850c7a06a3b03cd4989ee0db61b0b91746489b5ddbdddfc351d30c52147b0cbe6cbecd6c8737fe3ffa11f5db97948472adeb4031f72829205052ae7d24e5d80

    • C:\Users\Admin\AppData\Local\Temp\brothers.dll

      Filesize

      68KB

      MD5

      aa7a954d0ea7dbb90068bdd32d997f2a

      SHA1

      8a6ec0b72e5000900a71b5eb4bd81dda342a0dd9

      SHA256

      fda8e2088f7ca3f22d90e0ce3a9e2e466b7a30e96cfc166059156aabab3dea1b

      SHA512

      2850c7a06a3b03cd4989ee0db61b0b91746489b5ddbdddfc351d30c52147b0cbe6cbecd6c8737fe3ffa11f5db97948472adeb4031f72829205052ae7d24e5d80

    • C:\Users\Admin\AppData\Local\Temp\nsrD910.tmp\System.dll

      Filesize

      11KB

      MD5

      883eff06ac96966270731e4e22817e11

      SHA1

      523c87c98236cbc04430e87ec19b977595092ac8

      SHA256

      44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

      SHA512

      60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    • memory/320-136-0x0000000000000000-mapping.dmp

    • memory/320-137-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

    • memory/320-139-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

    • memory/320-140-0x0000000000400000-0x000000000043B000-memory.dmp

      Filesize

      236KB

    • memory/660-135-0x0000000002290000-0x00000000022A1000-memory.dmp

      Filesize

      68KB