gozi | 1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85

General

Target

1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
Size

274KB
MD5

e4887286f3e2d429ad5656e609a0a10e
SHA1

1b1cdcc60d9f5d0e871b4aa9827c77f5ad871e68
SHA256

1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85
SHA512

57cd8cb009a095e6d94ea16a28602428aa37bcff78cd8835afb2310cfeded84f0a021786e99dbc0f55425dd7c739a4d760ad20b1c887b698dcafbb37ea4fcb6a
SSDEEP

3072:rA3U3itVPvf2br58lNKlyExkBd0+lpsHcoAYwdPlHVuIXKDlbtT8NS0Y/ONlVv4h:ZiVX+5WQl1+lpEdA7F0pik0zPgk

Score

10^/10

gozi 1010 banker isfb persistence ransomware trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

sys.naturallymewraps.com/geodata/version/ip2ext

nan.bocalee.com/geodata/version/ip2ext

sys.aronzvi.com/geodata/version/ip2ext

lan.hayloindigo.com/geodata/version/ip2ext

lansystemstat.com/geodata/version/ip2ext

highnetwork.pw/geodata/version/ip2ext

lostnetwork.in/geodata/version/ip2ext

sysconnections.net/geodata/version/ip2ext

lansupports.com/geodata/version/ip2ext

Attributes

build
212578
exe_type
worker
server_id
30

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1564 cmd.exe

pid	process
1564	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhcpprop = "C:\\Windows\\system32\\Audiwcfg.exe"	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

Drops file in System32 directory 2 IoCs

Processes:

1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

description	ioc	process
File created	C:\Windows\system32\Audiwcfg.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
File opened for modification	C:\Windows\system32\Audiwcfg.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1F3A.bin"	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

description	pid	process	target process
PID 1648 set thread context of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 2028 set thread context of 1096	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

pid process

2028 1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

pid process

2028 1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

pid	process
2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

pid	process
2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe
Token: 33	920	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	920	AUDIODG.EXE
Token: 33	920	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	920	AUDIODG.EXE
Token: SeShutdownPrivilege	1096	explorer.exe
Token: SeShutdownPrivilege	1096	explorer.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

explorer.exe

pid	process
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

explorer.exe

pid	process
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1096 explorer.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.execmd.exe

description	pid	process	target process
PID 1648 wrote to memory of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 1648 wrote to memory of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 1648 wrote to memory of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 1648 wrote to memory of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 1648 wrote to memory of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 1648 wrote to memory of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 1648 wrote to memory of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 1648 wrote to memory of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 1648 wrote to memory of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 1648 wrote to memory of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 1648 wrote to memory of 2028	1648	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
PID 2028 wrote to memory of 1096	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	explorer.exe
PID 2028 wrote to memory of 1096	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	explorer.exe
PID 2028 wrote to memory of 1096	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	explorer.exe
PID 2028 wrote to memory of 1096	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	explorer.exe
PID 2028 wrote to memory of 1096	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	explorer.exe
PID 2028 wrote to memory of 1096	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	explorer.exe
PID 2028 wrote to memory of 1096	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	explorer.exe
PID 2028 wrote to memory of 1564	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	cmd.exe
PID 2028 wrote to memory of 1564	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	cmd.exe
PID 2028 wrote to memory of 1564	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	cmd.exe
PID 2028 wrote to memory of 1564	2028	1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe	cmd.exe
PID 1564 wrote to memory of 1912	1564	cmd.exe	attrib.exe
PID 1564 wrote to memory of 1912	1564	cmd.exe	attrib.exe
PID 1564 wrote to memory of 1912	1564	cmd.exe	attrib.exe
PID 1564 wrote to memory of 1912	1564	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1912 attrib.exe

pid	process
1912	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
"C:\Users\Admin\AppData\Local\Temp\1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe
"C:\Users\Admin\AppData\Local\Temp\1c12d42c868d71d6c8b98ef9ea6a6c07490f374d52d3d55b541cec2f6f108c85.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\explorer.exe
C:\Windows\explorer.exe
3⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6F64.bat" "C:\Users\Admin\AppData\Local\Temp\1C12D4~1.EXE""
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\1C12D4~1.EXE"
4⤵
- Views/modifies file attributes
PID:1912

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1F3A.bin
Filesize
3.5MB

MD5
cdc0571f788e01f0061b48f54ed9ef99

SHA1
6e61791bf380bcf1ed7cbe10d128f8b858a60b28

SHA256
035bf98f9985b491fd6a8d2e695d8d8d9e05d8f69ff477127a9e248ab42b6471

SHA512
cc3235a22eb02e1fb255fb895a8a719bb7c2183397b17aab3a0e8997ac59e4cbcd5446b258f0a1803f11df756645791f070772d0c607bc74397d078523ebc92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F64.bat
Filesize
72B

MD5
759be203e3dfa7d7821c35505230a0e9

SHA1
42b0539f6c29f147792a8403751c8a6cbb5fc9fd

SHA256
b056e78c8cb08dc0f7edcda2bae6e56d777c57ee3f8c03a4b5e2e95d172cb129

SHA512
69049f8f968099edf1d2c1d34e3b7324528b41dff81182ffe4ccbb11091a15d8201942346425594ac83482900832f4abd8fa1c74ffb1b229c23e2bf6b1145622

Download Submit
memory/1096-68-0x0000000000000000-mapping.dmp

Download
memory/1096-71-0x0000000001BB0000-0x0000000001C36000-memory.dmp

Filesize
536KB

Download
memory/1096-69-0x000007FEFAB51000-0x000007FEFAB53000-memory.dmp

Filesize
8KB

Download
memory/1564-73-0x0000000000000000-mapping.dmp

Download
memory/1912-75-0x0000000000000000-mapping.dmp

Download
memory/2028-66-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/2028-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-67-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-64-0x000000000040110F-mapping.dmp

Download
memory/2028-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-57-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2028-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads