gozi_ifsb | 6bbc933ec989233a4eebb376bb7589ec5c3c8fd949b7a822fce432313440e886

General

Target

2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe
Size

210KB
MD5

85805d82dabc0dd52887500bac553b21
SHA1

d2113a557620ab04bc5d70d17196adf4d616fc46
SHA256

6bbc933ec989233a4eebb376bb7589ec5c3c8fd949b7a822fce432313440e886
SHA512

3489b0121df37ff4da162a761de8867bab34cdf5b76a31f2987fc7303e7fa78a74fedc7d2ec780127842b0410ed2e220274164b30b177b302990bdebdac941de
SSDEEP

6144:mqkjiG4DOVwfSqlFR25owgSidd3Xy441GE3UKKz1PFB:hdfDOerzRyo9rnYGKe1PFB

Score

10^/10

gozi_ifsb 1010 banker persistence ransomware trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1010

C2

supportsstats.com/geodata/version/ip2ext

neteworkgroup.com/geodata/version/ip2ext

highnetwork.pw/geodata/version/ip2ext

lostnetwork.in/geodata/version/ip2ext

sysconnections.net/geodata/version/ip2ext

lansupports.com/geodata/version/ip2ext

Attributes

build
212578
exe_type
worker
server_id
30

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

760 cmd.exe

pid	process
760	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\C_ISroxy = "C:\\Windows\\system32\\bitsprx3.exe"	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

Drops file in System32 directory 2 IoCs

Processes:

2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

description	ioc	process
File created	C:\Windows\system32\bitsprx3.exe	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe
File opened for modification	C:\Windows\system32\bitsprx3.exe	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28DB.bin"	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

description	pid	process	target process
PID 1148 set thread context of 1392	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

pid process

1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1392 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

pid process

1148 2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

pid	process
1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

pid	process
1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1392	explorer.exe
Token: SeShutdownPrivilege	1392	explorer.exe
Token: SeShutdownPrivilege	1392	explorer.exe
Token: SeShutdownPrivilege	1392	explorer.exe
Token: SeShutdownPrivilege	1392	explorer.exe
Token: SeShutdownPrivilege	1392	explorer.exe
Token: SeShutdownPrivilege	1392	explorer.exe
Token: SeShutdownPrivilege	1392	explorer.exe
Token: SeShutdownPrivilege	1392	explorer.exe
Token: SeShutdownPrivilege	1392	explorer.exe
Token: 33	2016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2016	AUDIODG.EXE
Token: 33	2016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2016	AUDIODG.EXE
Token: SeShutdownPrivilege	1392	explorer.exe
Token: SeShutdownPrivilege	1392	explorer.exe
Token: SeShutdownPrivilege	1392	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

explorer.exe

pid	process
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

explorer.exe

pid	process
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe
1392	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1392 explorer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.execmd.exe

description	pid	process	target process
PID 1148 wrote to memory of 1392	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	explorer.exe
PID 1148 wrote to memory of 1392	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	explorer.exe
PID 1148 wrote to memory of 1392	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	explorer.exe
PID 1148 wrote to memory of 1392	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	explorer.exe
PID 1148 wrote to memory of 1392	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	explorer.exe
PID 1148 wrote to memory of 1392	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	explorer.exe
PID 1148 wrote to memory of 1392	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	explorer.exe
PID 1148 wrote to memory of 760	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	cmd.exe
PID 1148 wrote to memory of 760	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	cmd.exe
PID 1148 wrote to memory of 760	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	cmd.exe
PID 1148 wrote to memory of 760	1148	2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe	cmd.exe
PID 760 wrote to memory of 2012	760	cmd.exe	attrib.exe
PID 760 wrote to memory of 2012	760	cmd.exe	attrib.exe
PID 760 wrote to memory of 2012	760	cmd.exe	attrib.exe
PID 760 wrote to memory of 2012	760	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2012 attrib.exe

pid	process
2012	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe
"C:\Users\Admin\AppData\Local\Temp\2e563953d95288b1e36d9b7a556cb71d907510e40df243ec8b9c8ec1903edb13_unpacked_dropper.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\534C.bat" "C:\Users\Admin\AppData\Local\Temp\2E5639~1.EXE""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\2E5639~1.EXE"
3⤵
- Views/modifies file attributes
PID:2012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\534C.bat
Filesize
72B

MD5
9398ce54ecd4e77353dca5660559b46c

SHA1
47c0888e4ac000bb878e757efb3b11372117afca

SHA256
8318b50c8e96f0f62d98b332f72bc57c8550a61db036e75539a6c3be601c7490

SHA512
1f884b187349f8ba056f7e656eb586c53b2f2109c261fcc8143720dd20313d1a49c583ebfbf5a66f6efe885eb80ac4bd72fbe47ba0d3fe896778530414400f8e

Download Submit
memory/760-58-0x0000000000000000-mapping.dmp

Download
memory/1148-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1392-55-0x0000000000000000-mapping.dmp

Download
memory/1392-56-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1392-57-0x0000000001B10000-0x0000000001B96000-memory.dmp

Filesize
536KB

Download
memory/2012-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads