Analysis

  • max time kernel
    556s
  • max time network
    542s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2022 00:07

General

  • Target

    3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe

  • Size

    418KB

  • MD5

    b8ea5cdd085bea860fb94bef2fecb6d9

  • SHA1

    3788cec204c0f2f6fe674fba85895f99f48a1f23

  • SHA256

    3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5

  • SHA512

    45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632

  • SSDEEP

    12288:4r7ox3gdRAAzI+L7sCcDIg54qlcepleY:43ox3ghzHsIg2yvU

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1100

C2

cyajon.at/krp3cmg

hipohook.cn/krp3cmg

rokolero.at/krp3cmg

arexan.at/krp3cmg

voligon.cn/krp3cmg

qwevigoc.at/krp3cmg

comerail.su/krp3cmg

boombom.at/krp3cmg

xiloker.cn/krp3cmg

xorewopa.at/krp3cmg

goinumder.su/krp3cmg

ribomoon.cn/krp3cmg

ambikooly.at/krp3cmg

therepalon.su/krp3cmg

chikoole.cn/krp3cmg

Attributes
  • build

    214837

  • exe_type

    worker

  • server_id

    110

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
      "C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\FF86\FFC3.bat" "C:\Users\Admin\AppData\Roaming\cngpput8\drprssec.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:556
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C ""C:\Users\Admin\AppData\Roaming\cngpput8\drprssec.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE""
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:904
          • C:\Users\Admin\AppData\Roaming\cngpput8\drprssec.exe
            "C:\Users\Admin\AppData\Roaming\cngpput8\drprssec.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE"
            5⤵
            • Executes dropped EXE
            • Deletes itself
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1636
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1500
    • C:\Windows\system32\cmd.exe
      cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\C2A7.bi1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\system32\nslookup.exe
        nslookup myip.opendns.com resolver1.opendns.com
        3⤵
          PID:1468
      • C:\Windows\system32\cmd.exe
        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C2A7.bi1"
        2⤵
          PID:932

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\C2A7.bi1

        Filesize

        118B

        MD5

        4f6429322fdfd711b81d8824b25fcd9c

        SHA1

        f7f917b64dd43b620bacd21f134d430d3c406aec

        SHA256

        d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

        SHA512

        e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

      • C:\Users\Admin\AppData\Local\Temp\C2A7.bi1

        Filesize

        118B

        MD5

        4f6429322fdfd711b81d8824b25fcd9c

        SHA1

        f7f917b64dd43b620bacd21f134d430d3c406aec

        SHA256

        d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8

        SHA512

        e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816

      • C:\Users\Admin\AppData\Local\Temp\FF86\FFC3.bat

        Filesize

        108B

        MD5

        de0bb5b277a11c73e96ac12e9385e92d

        SHA1

        6709de05f3462aff9f9df00fbd08a186c5dff980

        SHA256

        034770653998707ad9ef3f785facb3b7ca0dd2f6ecebb5f16d4b26b79ee09e26

        SHA512

        568519fb3da910a9ab4cd8fabc552888bfa7d1d41670ef09b5235e246b51c75d56d743de18d0f6d860bed80b6be2787be08687744505c2dcd7b076719fadfe43

      • C:\Users\Admin\AppData\Roaming\cngpput8\drprssec.exe

        Filesize

        418KB

        MD5

        b8ea5cdd085bea860fb94bef2fecb6d9

        SHA1

        3788cec204c0f2f6fe674fba85895f99f48a1f23

        SHA256

        3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5

        SHA512

        45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632

      • C:\Users\Admin\AppData\Roaming\cngpput8\drprssec.exe

        Filesize

        418KB

        MD5

        b8ea5cdd085bea860fb94bef2fecb6d9

        SHA1

        3788cec204c0f2f6fe674fba85895f99f48a1f23

        SHA256

        3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5

        SHA512

        45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632

      • \Users\Admin\AppData\Roaming\cngpput8\drprssec.exe

        Filesize

        418KB

        MD5

        b8ea5cdd085bea860fb94bef2fecb6d9

        SHA1

        3788cec204c0f2f6fe674fba85895f99f48a1f23

        SHA256

        3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5

        SHA512

        45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632

      • memory/1220-75-0x000007FE80CA0000-0x000007FE80CAA000-memory.dmp

        Filesize

        40KB

      • memory/1220-72-0x0000000003A60000-0x0000000003AEE000-memory.dmp

        Filesize

        568KB

      • memory/1220-74-0x000007FEFB220000-0x000007FEFB363000-memory.dmp

        Filesize

        1.3MB

      • memory/1220-73-0x0000000003A60000-0x0000000003AEE000-memory.dmp

        Filesize

        568KB

      • memory/1500-70-0x0000000000290000-0x000000000031E000-memory.dmp

        Filesize

        568KB

      • memory/1500-71-0x0000000000290000-0x000000000031E000-memory.dmp

        Filesize

        568KB

      • memory/1636-66-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/1636-68-0x00000000020F0000-0x0000000002112000-memory.dmp

        Filesize

        136KB

      • memory/1720-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

        Filesize

        8KB

      • memory/1720-57-0x0000000001F50000-0x0000000001F72000-memory.dmp

        Filesize

        136KB

      • memory/1720-55-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB