gozi_ifsb | 056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

General

Target

056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5.exe
Size

350KB
MD5

3f65f241981377c60c4f96e43f2925c3
SHA1

6f11358676bc96c1062858739904f955996906f4
SHA256

056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5
SHA512

a02f051946afddd0034db22539f73d5639a8e57f0c5c19fa355f1e198691f83fc7df95c208c4330838a84265b5aaba6eac72f698e6307455d8561f621b6d005d
SSDEEP

6144:n5gNwmDoctwXekY4no0zbbRzpBwmZm+72dCMKB7QNk3VcXaO:kknXekNoYJzLids7Ak3VEN

Score

10^/10

gozi_ifsb 1000 banker evasion persistence trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1000

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\dmvdXT32\AUDIound.exe = "0"	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5.exe

Executes dropped EXE 1 IoCs

pid	Process
1648	AUDIound.exe

Deletes itself 1 IoCs

pid	Process
1648	AUDIound.exe

Loads dropped DLL 2 IoCs

pid	Process
1372	cmd.exe
1372	cmd.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\dmvdXT32\AUDIound.exe = "0"	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dmstroxy = "C:\\Users\\Admin\\AppData\\Roaming\\dmvdXT32\\AUDIound.exe"	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 556	1648	AUDIound.exe	31
PID 556 set thread context of 1360	556	svchost.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1648	AUDIound.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1360	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1648	AUDIound.exe
556	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1064	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5.exe
Token: SeShutdownPrivilege	1360	Explorer.EXE
Token: SeShutdownPrivilege	1360	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 932	1064	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5.exe	27
PID 1064 wrote to memory of 932	1064	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5.exe	27
PID 1064 wrote to memory of 932	1064	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5.exe	27
PID 1064 wrote to memory of 932	1064	056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5.exe	27
PID 932 wrote to memory of 1372	932	cmd.exe	29
PID 932 wrote to memory of 1372	932	cmd.exe	29
PID 932 wrote to memory of 1372	932	cmd.exe	29
PID 932 wrote to memory of 1372	932	cmd.exe	29
PID 1372 wrote to memory of 1648	1372	cmd.exe	30
PID 1372 wrote to memory of 1648	1372	cmd.exe	30
PID 1372 wrote to memory of 1648	1372	cmd.exe	30
PID 1372 wrote to memory of 1648	1372	cmd.exe	30
PID 1648 wrote to memory of 556	1648	AUDIound.exe	31
PID 1648 wrote to memory of 556	1648	AUDIound.exe	31
PID 1648 wrote to memory of 556	1648	AUDIound.exe	31
PID 1648 wrote to memory of 556	1648	AUDIound.exe	31
PID 1648 wrote to memory of 556	1648	AUDIound.exe	31
PID 1648 wrote to memory of 556	1648	AUDIound.exe	31
PID 1648 wrote to memory of 556	1648	AUDIound.exe	31
PID 556 wrote to memory of 1360	556	svchost.exe	15
PID 556 wrote to memory of 1360	556	svchost.exe	15
PID 556 wrote to memory of 1360	556	svchost.exe	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1360
- C:\Users\Admin\AppData\Local\Temp\056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5.exe
  "C:\Users\Admin\AppData\Local\Temp\056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5.exe"
  2⤵
  - Windows security bypass
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\57FE\17FC.bat" "C:\Users\Admin\AppData\Roaming\dmvdXT32\AUDIound.exe" "C:\Users\Admin\AppData\Local\Temp\056C73~1.EXE""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ""C:\Users\Admin\AppData\Roaming\dmvdXT32\AUDIound.exe" "C:\Users\Admin\AppData\Local\Temp\056C73~1.EXE""
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Users\Admin\AppData\Roaming\dmvdXT32\AUDIound.exe
        
        "C:\Users\Admin\AppData\Roaming\dmvdXT32\AUDIound.exe" "C:\Users\Admin\AppData\Local\Temp\056C73~1.EXE"
        5⤵
        Executes dropped EXE
        Deletes itself
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\57FE\17FC.bat

Filesize
108B

MD5
cf564ebbcdad5e9ce6397bf4aa50a5a4

SHA1
91564e80f9105c60d8db3607080dfc1384ee401a

SHA256
9f01c8e6c39978271e670e7eaf0820680d2baa36567e48571f08b139964ac6b2

SHA512
536e38240969559069018b5f96bbb525fb2b3a4b63af9ea3ad3cddfdefdeaf516c3ede28390a8eeabc55c0ee7df5f94f919f358799207c5c0db082f3ec5810b7

Download Submit
C:\Users\Admin\AppData\Roaming\dmvdXT32\AUDIound.exe

Filesize
350KB

MD5
3f65f241981377c60c4f96e43f2925c3

SHA1
6f11358676bc96c1062858739904f955996906f4

SHA256
056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

SHA512
a02f051946afddd0034db22539f73d5639a8e57f0c5c19fa355f1e198691f83fc7df95c208c4330838a84265b5aaba6eac72f698e6307455d8561f621b6d005d

Download Submit
C:\Users\Admin\AppData\Roaming\dmvdXT32\AUDIound.exe

Filesize
350KB

MD5
3f65f241981377c60c4f96e43f2925c3

SHA1
6f11358676bc96c1062858739904f955996906f4

SHA256
056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

SHA512
a02f051946afddd0034db22539f73d5639a8e57f0c5c19fa355f1e198691f83fc7df95c208c4330838a84265b5aaba6eac72f698e6307455d8561f621b6d005d

Download Submit
\Users\Admin\AppData\Roaming\dmvdXT32\AUDIound.exe

Filesize
350KB

MD5
3f65f241981377c60c4f96e43f2925c3

SHA1
6f11358676bc96c1062858739904f955996906f4

SHA256
056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

SHA512
a02f051946afddd0034db22539f73d5639a8e57f0c5c19fa355f1e198691f83fc7df95c208c4330838a84265b5aaba6eac72f698e6307455d8561f621b6d005d

Download Submit
\Users\Admin\AppData\Roaming\dmvdXT32\AUDIound.exe

Filesize
350KB

MD5
3f65f241981377c60c4f96e43f2925c3

SHA1
6f11358676bc96c1062858739904f955996906f4

SHA256
056c73060f1553f213982a5bfb4d3535ef0594e1fcb70c8a67bc83e6b5d972c5

SHA512
a02f051946afddd0034db22539f73d5639a8e57f0c5c19fa355f1e198691f83fc7df95c208c4330838a84265b5aaba6eac72f698e6307455d8561f621b6d005d

Download Submit
memory/556-65-0x00000000003D0000-0x00000000004B8000-memory.dmp

Filesize
928KB

Download
memory/556-66-0x00000000003D0000-0x00000000004B8000-memory.dmp

Filesize
928KB

Download
memory/1064-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1360-67-0x00000000064C0000-0x00000000065A8000-memory.dmp

Filesize
928KB

Download
memory/1360-68-0x00000000064C0000-0x00000000065A8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads