Analysis

  • max time kernel
    600s
  • max time network
    511s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2022 00:07

General

  • Target

    42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe

  • Size

    437KB

  • MD5

    b5f35ddf66046061fe55935b2bb210c8

  • SHA1

    1b0cc49bdbc8959938088747c048fc98b8386bad

  • SHA256

    42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676

  • SHA512

    a7da8abe2f84df3a6317e92abb1b78319a84033853b76bfd4ad2018f1cd59cfcb36f9f2e8d76646b8550b2ef2ec863ae5c775252f48d5b3bf05948903c59c265

  • SSDEEP

    6144:nuU4My6j817/7TodFsGN858k31BSZW5lV3QfZ0SHKDGiRX8AeZ+oDsCgu77+YESv:nuuyt7jTodFzjUD5AfZ0cUGW8V6QcAHd

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1001

Attributes
  • build

    215840

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • exe_type

    worker

  • server_id

    93

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3420
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4708
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:3712
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2220
          • C:\Users\Admin\AppData\Local\Temp\42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe
            "C:\Users\Admin\AppData\Local\Temp\42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676.exe"
            2⤵
            • Checks computer location settings
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3348
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3D2C\9E96.bat" "C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\429236~1.EXE""
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3740
              • C:\Windows\SysWOW64\cmd.exe
                cmd /C ""C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\429236~1.EXE""
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3640
                • C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
                  "C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\429236~1.EXE"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:4996
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe
                    6⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of WriteProcessMemory
                    PID:2676
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:5064

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\3D2C\9E96.bat

            Filesize

            112B

            MD5

            cd0da4581114d8a20394c3118e76219e

            SHA1

            59c42dedccb955507aaf07ceac492b428e708298

            SHA256

            9f4a52b0ffa2ad75689899e4e8b7d12edbed27882d920ad7bb85f4a7fc5f50d6

            SHA512

            9e6e8641115cf3cdacf8ce4e836eec4c1330861683c9827ab3705fafc5b0b1dd90f445858221fc736479354de070bc0a3a360cbd44ad2b34f8946824af68d308

          • C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe

            Filesize

            437KB

            MD5

            b5f35ddf66046061fe55935b2bb210c8

            SHA1

            1b0cc49bdbc8959938088747c048fc98b8386bad

            SHA256

            42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676

            SHA512

            a7da8abe2f84df3a6317e92abb1b78319a84033853b76bfd4ad2018f1cd59cfcb36f9f2e8d76646b8550b2ef2ec863ae5c775252f48d5b3bf05948903c59c265

          • C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe

            Filesize

            437KB

            MD5

            b5f35ddf66046061fe55935b2bb210c8

            SHA1

            1b0cc49bdbc8959938088747c048fc98b8386bad

            SHA256

            42923683022f255205e9e0269abf1d6d676b4b4dfa4afec040fb4b21c24e0676

            SHA512

            a7da8abe2f84df3a6317e92abb1b78319a84033853b76bfd4ad2018f1cd59cfcb36f9f2e8d76646b8550b2ef2ec863ae5c775252f48d5b3bf05948903c59c265

          • memory/2220-152-0x0000000002E50000-0x0000000002EEB000-memory.dmp

            Filesize

            620KB

          • memory/2220-147-0x0000000002E50000-0x0000000002EEB000-memory.dmp

            Filesize

            620KB

          • memory/2676-146-0x00000000004B0000-0x000000000054B000-memory.dmp

            Filesize

            620KB

          • memory/3348-133-0x0000000000400000-0x0000000000473000-memory.dmp

            Filesize

            460KB

          • memory/3348-132-0x0000000002770000-0x00000000027B4000-memory.dmp

            Filesize

            272KB

          • memory/3348-136-0x0000000002770000-0x00000000027B4000-memory.dmp

            Filesize

            272KB

          • memory/3420-148-0x00000210D6200000-0x00000210D629B000-memory.dmp

            Filesize

            620KB

          • memory/3712-149-0x0000012D443A0000-0x0000012D4443B000-memory.dmp

            Filesize

            620KB

          • memory/4708-150-0x00000297DEF30000-0x00000297DEFCB000-memory.dmp

            Filesize

            620KB

          • memory/4996-142-0x0000000002350000-0x0000000002394000-memory.dmp

            Filesize

            272KB

          • memory/4996-143-0x0000000000400000-0x0000000000473000-memory.dmp

            Filesize

            460KB

          • memory/5064-151-0x0000012C40510000-0x0000012C405AB000-memory.dmp

            Filesize

            620KB