gozi_ifsb | 056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

General

Target

056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked_dropper.exe
Size

350KB
MD5

3f65f241981377c60c4f96e43f2925c3
SHA1

6f11358676bc96c1062858739904f955996906f4
SHA256

056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5
SHA512

a02f051946afddd0034db22539f73d5639a8e57f0c5c19fa355f1e198691f83fc7df95c208c4330838a84265b5aaba6eac72f698e6307455d8561f621b6d005d
SSDEEP

6144:n5gNwmDoctwXekY4no0zbbRzpBwmZm+72dCMKB7QNk3VcXaO:kknXekNoYJzLids7Ak3VEN

Score

10^/10

gozi_ifsb 1000 banker evasion persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1000

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\certcapi\adslsjob.exe = "0"	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked_dropper.exe

Executes dropped EXE 1 IoCs

pid	Process
1600	adslsjob.exe

Deletes itself 1 IoCs

pid	Process
1600	adslsjob.exe

Loads dropped DLL 2 IoCs

pid	Process
1532	cmd.exe
1532	cmd.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\certcapi\adslsjob.exe = "0"	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked_dropper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Devilu32 = "C:\\Users\\Admin\\AppData\\Roaming\\certcapi\\adslsjob.exe"	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked_dropper.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1600 set thread context of 1412	1600	adslsjob.exe	31
PID 1412 set thread context of 1208	1412	svchost.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1600	adslsjob.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1600	adslsjob.exe
1412	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2036	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked_dropper.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1652	2036	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked_dropper.exe	27
PID 2036 wrote to memory of 1652	2036	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked_dropper.exe	27
PID 2036 wrote to memory of 1652	2036	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked_dropper.exe	27
PID 2036 wrote to memory of 1652	2036	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked_dropper.exe	27
PID 1652 wrote to memory of 1532	1652	cmd.exe	29
PID 1652 wrote to memory of 1532	1652	cmd.exe	29
PID 1652 wrote to memory of 1532	1652	cmd.exe	29
PID 1652 wrote to memory of 1532	1652	cmd.exe	29
PID 1532 wrote to memory of 1600	1532	cmd.exe	30
PID 1532 wrote to memory of 1600	1532	cmd.exe	30
PID 1532 wrote to memory of 1600	1532	cmd.exe	30
PID 1532 wrote to memory of 1600	1532	cmd.exe	30
PID 1600 wrote to memory of 1412	1600	adslsjob.exe	31
PID 1600 wrote to memory of 1412	1600	adslsjob.exe	31
PID 1600 wrote to memory of 1412	1600	adslsjob.exe	31
PID 1600 wrote to memory of 1412	1600	adslsjob.exe	31
PID 1600 wrote to memory of 1412	1600	adslsjob.exe	31
PID 1600 wrote to memory of 1412	1600	adslsjob.exe	31
PID 1600 wrote to memory of 1412	1600	adslsjob.exe	31
PID 1412 wrote to memory of 1208	1412	svchost.exe	20
PID 1412 wrote to memory of 1208	1412	svchost.exe	20
PID 1412 wrote to memory of 1208	1412	svchost.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1208
- C:\Users\Admin\AppData\Local\Temp\056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked_dropper.exe
  "C:\Users\Admin\AppData\Local\Temp\056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5_unpacked_dropper.exe"
  2⤵
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7D87\7957.bat" "C:\Users\Admin\AppData\Roaming\certcapi\adslsjob.exe" "C:\Users\Admin\AppData\Local\Temp\056C73~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\certcapi\adslsjob.exe" "C:\Users\Admin\AppData\Local\Temp\056C73~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Users\Admin\AppData\Roaming\certcapi\adslsjob.exe
        
        "C:\Users\Admin\AppData\Roaming\certcapi\adslsjob.exe" "C:\Users\Admin\AppData\Local\Temp\056C73~1.EXE"
        5⤵
        Executes dropped EXE
        Deletes itself
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7D87\7957.bat

Filesize
108B

MD5
20f3b0a040c035d3fdb37a4cafe5d26e

SHA1
b12eaffe276bb0d4df2fa0bff63f87c0ca400368

SHA256
c1a3b309a3234315c6b218ff62e3d46a3bb85a4b12222ce015fc8e8283e76210

SHA512
6a34f7f8b5ceb36d001516746c26eebec58c00cc8b8a5712328a382d08b614ff6e74a2907e172e667e1a399958d94a5314c84aa9ecb5c9e90f9dc959ff6569b2

Download Submit
C:\Users\Admin\AppData\Roaming\certcapi\adslsjob.exe

Filesize
350KB

MD5
3f65f241981377c60c4f96e43f2925c3

SHA1
6f11358676bc96c1062858739904f955996906f4

SHA256
056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

SHA512
a02f051946afddd0034db22539f73d5639a8e57f0c5c19fa355f1e198691f83fc7df95c208c4330838a84265b5aaba6eac72f698e6307455d8561f621b6d005d

Download Submit
C:\Users\Admin\AppData\Roaming\certcapi\adslsjob.exe

Filesize
350KB

MD5
3f65f241981377c60c4f96e43f2925c3

SHA1
6f11358676bc96c1062858739904f955996906f4

SHA256
056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

SHA512
a02f051946afddd0034db22539f73d5639a8e57f0c5c19fa355f1e198691f83fc7df95c208c4330838a84265b5aaba6eac72f698e6307455d8561f621b6d005d

Download Submit
\Users\Admin\AppData\Roaming\certcapi\adslsjob.exe

Filesize
350KB

MD5
3f65f241981377c60c4f96e43f2925c3

SHA1
6f11358676bc96c1062858739904f955996906f4

SHA256
056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

SHA512
a02f051946afddd0034db22539f73d5639a8e57f0c5c19fa355f1e198691f83fc7df95c208c4330838a84265b5aaba6eac72f698e6307455d8561f621b6d005d

Download Submit
\Users\Admin\AppData\Roaming\certcapi\adslsjob.exe

Filesize
350KB

MD5
3f65f241981377c60c4f96e43f2925c3

SHA1
6f11358676bc96c1062858739904f955996906f4

SHA256
056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

SHA512
a02f051946afddd0034db22539f73d5639a8e57f0c5c19fa355f1e198691f83fc7df95c208c4330838a84265b5aaba6eac72f698e6307455d8561f621b6d005d

Download Submit
memory/1208-67-0x0000000004B80000-0x0000000004C68000-memory.dmp

Filesize
928KB

Download
memory/1208-66-0x0000000004B80000-0x0000000004C68000-memory.dmp

Filesize
928KB

Download
memory/1412-65-0x0000000000440000-0x0000000000528000-memory.dmp

Filesize
928KB

Download
memory/2036-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads