gozi | a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700

General

Target

a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe
Size

430KB
MD5

fcf5c2e8baafde4f0d4334aec04009a4
SHA1

7c14de6dcfa2f34966b97a49093eb91c1bc1c7fd
SHA256

a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700
SHA512

de955f8b2c76e0f93bfd5a2b68a5509be69c68ed2256ab76a57b2a1838e5306b5fb3d641e736d3037a7c4db69cb66296dcff4a7766f483fdea94392086d8447d
SSDEEP

6144:8QsE6W/19evWMzL3Lt6b21mc4PdLXEeLw6o:83E6k19eDHLtqPc4VzEey

Score

10^/10

gozi 1010 banker isfb persistence ransomware trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

nan.bocalee.com/geodata/version/ip2ext

sys.aronzvi.com/geodata/version/ip2ext

lan.hayloindigo.com/geodata/version/ip2ext

sys.jacentacobb.com/geodata/version/ip2ext

lansystemstat.com/geodata/version/ip2ext

highnetwork.pw/geodata/version/ip2ext

lostnetwork.in/geodata/version/ip2ext

sysconnections.net/geodata/version/ip2ext

lansupports.com/geodata/version/ip2ext

Attributes

build
212578
exe_type
worker
server_id
30

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1332 cmd.exe

pid	process
1332	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\dhcpprop = "C:\\Windows\\system32\\Audiwcfg.exe"	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

Drops file in System32 directory 2 IoCs

Processes:

a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

description	ioc	process
File created	C:\Windows\system32\Audiwcfg.exe	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe
File opened for modification	C:\Windows\system32\Audiwcfg.exe	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\229.bin"	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

description	pid	process	target process
PID 2008 set thread context of 1732	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

pid process

2008 a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1732 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

pid process

2008 a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

pid	process
2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

pid	process
2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1732	explorer.exe
Token: SeShutdownPrivilege	1732	explorer.exe
Token: SeShutdownPrivilege	1732	explorer.exe
Token: SeShutdownPrivilege	1732	explorer.exe
Token: SeShutdownPrivilege	1732	explorer.exe
Token: SeShutdownPrivilege	1732	explorer.exe
Token: SeShutdownPrivilege	1732	explorer.exe
Token: SeShutdownPrivilege	1732	explorer.exe
Token: SeShutdownPrivilege	1732	explorer.exe
Token: SeShutdownPrivilege	1732	explorer.exe
Token: 33	1728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1728	AUDIODG.EXE
Token: 33	1728	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1728	AUDIODG.EXE
Token: SeShutdownPrivilege	1732	explorer.exe
Token: SeShutdownPrivilege	1732	explorer.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

explorer.exe

pid	process
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

explorer.exe

pid	process
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe
1732	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1732 explorer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.execmd.exe

description	pid	process	target process
PID 2008 wrote to memory of 1732	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	explorer.exe
PID 2008 wrote to memory of 1732	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	explorer.exe
PID 2008 wrote to memory of 1732	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	explorer.exe
PID 2008 wrote to memory of 1732	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	explorer.exe
PID 2008 wrote to memory of 1732	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	explorer.exe
PID 2008 wrote to memory of 1732	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	explorer.exe
PID 2008 wrote to memory of 1732	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	explorer.exe
PID 2008 wrote to memory of 1332	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	cmd.exe
PID 2008 wrote to memory of 1332	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	cmd.exe
PID 2008 wrote to memory of 1332	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	cmd.exe
PID 2008 wrote to memory of 1332	2008	a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe	cmd.exe
PID 1332 wrote to memory of 1684	1332	cmd.exe	attrib.exe
PID 1332 wrote to memory of 1684	1332	cmd.exe	attrib.exe
PID 1332 wrote to memory of 1684	1332	cmd.exe	attrib.exe
PID 1332 wrote to memory of 1684	1332	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1684 attrib.exe

pid	process
1684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe
"C:\Users\Admin\AppData\Local\Temp\a1b6e7058b45dcf73e569ffd1559fb167a48fb4526d180213f25e517a6141700.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2C3D.bat" "C:\Users\Admin\AppData\Local\Temp\A1B6E7~1.EXE""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\A1B6E7~1.EXE"
3⤵
- Views/modifies file attributes
PID:1684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2C3D.bat
Filesize
72B

MD5
185d483392fd8c2f00f7ed4ca972aa36

SHA1
61bde09f7e4d424d521b19df4a57b13934fa1702

SHA256
f158abec9d3b5950a305f4c485058d2c1ff8bfd57712565c6663170ca8265609

SHA512
8ba7f5ff168a8a558a812030ac311df27c271472355265abf8d8f3dcac10a65544b189aaa6578ad16f9599811269d2f812732fff41daae59cfd9a8a9f64be6cb

Download Submit
memory/1332-59-0x0000000000000000-mapping.dmp

Download
memory/1684-63-0x0000000000000000-mapping.dmp

Download
memory/1732-56-0x0000000000000000-mapping.dmp

Download
memory/1732-58-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/1732-64-0x0000000000340000-0x00000000003C6000-memory.dmp

Filesize
536KB

Download
memory/2008-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/2008-55-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2008-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2008-60-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2008-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads