Analysis

  • max time kernel
    599s
  • max time network
    530s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2022 00:07

General

  • Target

    3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe

  • Size

    418KB

  • MD5

    b8ea5cdd085bea860fb94bef2fecb6d9

  • SHA1

    3788cec204c0f2f6fe674fba85895f99f48a1f23

  • SHA256

    3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5

  • SHA512

    45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632

  • SSDEEP

    12288:4r7ox3gdRAAzI+L7sCcDIg54qlcepleY:43ox3ghzHsIg2yvU

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1100

C2

cyajon.at/krp3cmg

hipohook.cn/krp3cmg

rokolero.at/krp3cmg

arexan.at/krp3cmg

voligon.cn/krp3cmg

qwevigoc.at/krp3cmg

comerail.su/krp3cmg

boombom.at/krp3cmg

xiloker.cn/krp3cmg

xorewopa.at/krp3cmg

goinumder.su/krp3cmg

ribomoon.cn/krp3cmg

ambikooly.at/krp3cmg

therepalon.su/krp3cmg

chikoole.cn/krp3cmg

Attributes
  • build

    214837

  • exe_type

    worker

  • server_id

    110

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3424
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4596
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3692
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe
          "C:\Users\Admin\AppData\Local\Temp\3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5.exe"
          2⤵
          • Checks computer location settings
          • Adds Run key to start application
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3420
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EBA2\75D1.bat" "C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE""
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2704
            • C:\Windows\SysWOW64\cmd.exe
              cmd /C ""C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE""
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3412
              • C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe
                "C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe" "C:\Users\Admin\AppData\Local\Temp\3A252A~1.EXE"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:3440
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe
                  6⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:3624
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\2FC6.bi1"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Windows\system32\nslookup.exe
            nslookup myip.opendns.com resolver1.opendns.com
            3⤵
              PID:2096
          • C:\Windows\system32\cmd.exe
            cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2FC6.bi1"
            2⤵
              PID:444
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:544

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\2FC6.bi1

              Filesize

              118B

              MD5

              ace7e9f29953c4fbd6a930b50f792079

              SHA1

              97511e3438221ac9c30944fca7b91e87978c1248

              SHA256

              58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

              SHA512

              5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

            • C:\Users\Admin\AppData\Local\Temp\2FC6.bi1

              Filesize

              118B

              MD5

              ace7e9f29953c4fbd6a930b50f792079

              SHA1

              97511e3438221ac9c30944fca7b91e87978c1248

              SHA256

              58b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8

              SHA512

              5dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106

            • C:\Users\Admin\AppData\Local\Temp\EBA2\75D1.bat

              Filesize

              112B

              MD5

              5fc401d2a575bc2f2091c704f3dc12c6

              SHA1

              f42d307e59ef42fdfdeef5752fcea5290e320d42

              SHA256

              4fea69b6a9839d8ef7adbbded58f5dbaef7de63c9bcb1181981e1636dbbceb8f

              SHA512

              39964b8c02f9c39f48db87a66d7fde63db21aa4a19aa271aad525a18f4e9408b80e6a08e7a98748352a31f98cd2b8f4b8bba9fe1a3173e69e7e72d5e30c09615

            • C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe

              Filesize

              418KB

              MD5

              b8ea5cdd085bea860fb94bef2fecb6d9

              SHA1

              3788cec204c0f2f6fe674fba85895f99f48a1f23

              SHA256

              3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5

              SHA512

              45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632

            • C:\Users\Admin\AppData\Roaming\clfsgacy\audiApis.exe

              Filesize

              418KB

              MD5

              b8ea5cdd085bea860fb94bef2fecb6d9

              SHA1

              3788cec204c0f2f6fe674fba85895f99f48a1f23

              SHA256

              3a252ac37d78baad0a81242c0cb2bd68208c12267aa87d3cd3c5d594f1de27a5

              SHA512

              45dabd78a10f66209abef6446b96f4782ff7b6a20380282a5be6380f3d7e50020d171478226752659f0808f5d1ce870f617add30d132f981bbcb26347ff6a632

            • memory/544-150-0x000001E8D3640000-0x000001E8D36CE000-memory.dmp

              Filesize

              568KB

            • memory/2984-146-0x00000000086C0000-0x000000000874E000-memory.dmp

              Filesize

              568KB

            • memory/2984-151-0x00000000086C0000-0x000000000874E000-memory.dmp

              Filesize

              568KB

            • memory/3420-132-0x0000000002A60000-0x0000000002A82000-memory.dmp

              Filesize

              136KB

            • memory/3420-133-0x0000000000400000-0x000000000046D000-memory.dmp

              Filesize

              436KB

            • memory/3424-147-0x000002D9468C0000-0x000002D94694E000-memory.dmp

              Filesize

              568KB

            • memory/3440-142-0x0000000000400000-0x000000000046D000-memory.dmp

              Filesize

              436KB

            • memory/3440-141-0x0000000002920000-0x0000000002942000-memory.dmp

              Filesize

              136KB

            • memory/3624-145-0x0000000000240000-0x00000000002CE000-memory.dmp

              Filesize

              568KB

            • memory/3692-148-0x000001F0B3D50000-0x000001F0B3DDE000-memory.dmp

              Filesize

              568KB

            • memory/4596-149-0x000002AA76860000-0x000002AA768EE000-memory.dmp

              Filesize

              568KB