gozi | 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f

General

Target

9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
Size

314KB
MD5

e0e2f137d0ef1d11048e17939d8cbde2
SHA1

f38131561bb462dece03f2733c5038013ecce24c
SHA256

9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f
SHA512

7d6c4e6e22182d51cd19194e76a9bb31960072b68bc7f986a00cf5bd7a90f06f47017de090074e18f84fbb8c4790ca1fecbff57fdfb9bbe4557ebd4fbb221671
SSDEEP

6144:d5LMc6W0CMk2TBqx8p1668QblbUebV5k2FiZRX7Zp7j9:rT6tC72Tsx8p166xFbVCuiZZv7j

Score

10^/10

gozi 1010 banker isfb persistence ransomware trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

sys.naturallymewraps.com/geodata/version/ip2ext

nan.bocalee.com/geodata/version/ip2ext

sys.aronzvi.com/geodata/version/ip2ext

lan.hayloindigo.com/geodata/version/ip2ext

lansystemstat.com/geodata/version/ip2ext

highnetwork.pw/geodata/version/ip2ext

lostnetwork.in/geodata/version/ip2ext

sysconnections.net/geodata/version/ip2ext

lansupports.com/geodata/version/ip2ext

Attributes

build
212578
exe_type
worker
server_id
30

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

464 cmd.exe

pid	process
464	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dpmoprov = "C:\\Windows\\system32\\cmstwave.exe"	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

Drops file in System32 directory 2 IoCs

Processes:

9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

description	ioc	process
File opened for modification	C:\Windows\system32\cmstwave.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
File created	C:\Windows\system32\cmstwave.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\29A6.bin"	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

description	pid	process	target process
PID 2032 set thread context of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2016 set thread context of 676	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

pid process

2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

pid process

2016 9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

pid	process
2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

pid	process
2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	676	explorer.exe
Token: SeShutdownPrivilege	676	explorer.exe
Token: SeShutdownPrivilege	676	explorer.exe
Token: SeShutdownPrivilege	676	explorer.exe
Token: SeShutdownPrivilege	676	explorer.exe
Token: SeShutdownPrivilege	676	explorer.exe
Token: SeShutdownPrivilege	676	explorer.exe
Token: SeShutdownPrivilege	676	explorer.exe
Token: SeShutdownPrivilege	676	explorer.exe
Token: SeShutdownPrivilege	676	explorer.exe
Token: 33	1612	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1612	AUDIODG.EXE
Token: 33	1612	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1612	AUDIODG.EXE
Token: SeShutdownPrivilege	676	explorer.exe
Token: SeShutdownPrivilege	676	explorer.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

explorer.exe

pid	process
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

explorer.exe

pid	process
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe
676	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

676 explorer.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2032 wrote to memory of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2032 wrote to memory of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2032 wrote to memory of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2032 wrote to memory of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2032 wrote to memory of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2032 wrote to memory of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2032 wrote to memory of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2032 wrote to memory of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2032 wrote to memory of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2032 wrote to memory of 2016	2032	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
PID 2016 wrote to memory of 676	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	explorer.exe
PID 2016 wrote to memory of 676	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	explorer.exe
PID 2016 wrote to memory of 676	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	explorer.exe
PID 2016 wrote to memory of 676	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	explorer.exe
PID 2016 wrote to memory of 676	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	explorer.exe
PID 2016 wrote to memory of 676	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	explorer.exe
PID 2016 wrote to memory of 676	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	explorer.exe
PID 2016 wrote to memory of 464	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	cmd.exe
PID 2016 wrote to memory of 464	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	cmd.exe
PID 2016 wrote to memory of 464	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	cmd.exe
PID 2016 wrote to memory of 464	2016	9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe	cmd.exe
PID 464 wrote to memory of 1520	464	cmd.exe	attrib.exe
PID 464 wrote to memory of 1520	464	cmd.exe	attrib.exe
PID 464 wrote to memory of 1520	464	cmd.exe	attrib.exe
PID 464 wrote to memory of 1520	464	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1520 attrib.exe

pid	process
1520	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
"C:\Users\Admin\AppData\Local\Temp\9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe
"C:\Users\Admin\AppData\Local\Temp\9d9f24669f5b132d027e5648bee11a57b514d3daea75d36a292da89f2b828e9f.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\explorer.exe
C:\Windows\explorer.exe
3⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6872.bat" "C:\Users\Admin\AppData\Local\Temp\9D9F24~1.EXE""
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\9D9F24~1.EXE"
4⤵
- Views/modifies file attributes
PID:1520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\29A6.bin
Filesize
3.5MB

MD5
a4e2f065172a7712493a8139333e72f7

SHA1
89a8e1f6d05d6bd4f4e214cdfecfd4ec27cfd4c0

SHA256
c235684e03276a29e64e80b24ea5033eddca906984bc79fb56ccde0e9da1e0be

SHA512
3e86b4f5ab50bdafab05f2d1a39f5d4f2a82ede3c9c9921c4e38e7462a4c818d1da213aa370270b6f8022ab42d6379e38cf41bb206f07e6bed710e9f544f624c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6872.bat
Filesize
72B

MD5
36120446dbe4456d6a92c9d1b4e3f9f9

SHA1
b29949d121eb55a11b58c1fa33b4e7fa796681a7

SHA256
e343c858c794f0acc7247739aab57f04ff323c5792e5923ccbc1aae52e3f2ad3

SHA512
3713f2f958cf3c964f8598751f2a639168e85fca5e75a78a7bf8580a29f2a35e0c626b6ea230a4c476a8cb51120d5113e28606bcdc5090b330cd39c6a3b437c2

Download Submit
memory/464-73-0x0000000000000000-mapping.dmp

Download
memory/676-68-0x0000000000000000-mapping.dmp

Download
memory/676-71-0x00000000001F0000-0x0000000000276000-memory.dmp

Filesize
536KB

Download
memory/676-69-0x000007FEFBDD1000-0x000007FEFBDD3000-memory.dmp

Filesize
8KB

Download
memory/1520-75-0x0000000000000000-mapping.dmp

Download
memory/2016-66-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2016-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-67-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-64-0x000000000040110F-mapping.dmp

Download
memory/2016-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads