Analysis

  • max time kernel
    180s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2022 07:08

General

  • Target

    a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe

  • Size

    493KB

  • MD5

    02e4f7328ea0d24c85becbe13c13bacf

  • SHA1

    5534138034a0e0eb0a183ec6143a6762cc27c4f9

  • SHA256

    a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755

  • SHA512

    d3db4ce11c19cce9cbf26624b865e729e6c00be4c1f32a3cb3e925a870b8e168d507f0d173e5996490316a4b720cf9dbc613f7668bf345a13b1225bbb64b3990

  • SSDEEP

    6144:AseFPcfIB+6+AVbYXkbv7xxfC0Gwxbr6hYYJu:/ChB+YVbYUbjxx60b

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe
    "C:\Users\Admin\AppData\Local\Temp\a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FD12\FE89.bat" "C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\A9FFAE~1.EXE""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C ""C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\A9FFAE~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4280
        • C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
          "C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\A9FFAE~1.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4384
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1868
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 588
              5⤵
              • Program crash
              PID:1800
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4384 -ip 4384
      1⤵
        PID:3732

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\FD12\FE89.bat
        Filesize

        112B

        MD5

        e985de6bae650d05b75c11ba5474b7e8

        SHA1

        c591a8dc5202db3b74b34ec11c9bfda754111be7

        SHA256

        95ef6c4550ef9938992d2bb18fc832df2f659726e1e0ac53009f34aec36b6f70

        SHA512

        26856447b7a53d2969f7aca4a0e88f467a02f50ded538bada361a7af4b4d3707e1027a54baf1809550e2a8b62ba982de90f666f8994c999b9f7d9b9ea633c665

      • C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
        Filesize

        493KB

        MD5

        02e4f7328ea0d24c85becbe13c13bacf

        SHA1

        5534138034a0e0eb0a183ec6143a6762cc27c4f9

        SHA256

        a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755

        SHA512

        d3db4ce11c19cce9cbf26624b865e729e6c00be4c1f32a3cb3e925a870b8e168d507f0d173e5996490316a4b720cf9dbc613f7668bf345a13b1225bbb64b3990

      • C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
        Filesize

        493KB

        MD5

        02e4f7328ea0d24c85becbe13c13bacf

        SHA1

        5534138034a0e0eb0a183ec6143a6762cc27c4f9

        SHA256

        a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755

        SHA512

        d3db4ce11c19cce9cbf26624b865e729e6c00be4c1f32a3cb3e925a870b8e168d507f0d173e5996490316a4b720cf9dbc613f7668bf345a13b1225bbb64b3990

      • memory/4280-137-0x0000000000000000-mapping.dmp
      • memory/4384-138-0x0000000000000000-mapping.dmp
      • memory/4384-141-0x0000000000400000-0x000000000047E000-memory.dmp
        Filesize

        504KB

      • memory/4384-143-0x00000000005E0000-0x0000000000610000-memory.dmp
        Filesize

        192KB

      • memory/4440-135-0x0000000000000000-mapping.dmp
      • memory/4708-132-0x0000000000400000-0x000000000047E000-memory.dmp
        Filesize

        504KB

      • memory/4708-134-0x00000000021D0000-0x0000000002200000-memory.dmp
        Filesize

        192KB