gozi | a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755

General

Target

a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe
Size

493KB
MD5

02e4f7328ea0d24c85becbe13c13bacf
SHA1

5534138034a0e0eb0a183ec6143a6762cc27c4f9
SHA256

a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755
SHA512

d3db4ce11c19cce9cbf26624b865e729e6c00be4c1f32a3cb3e925a870b8e168d507f0d173e5996490316a4b720cf9dbc613f7668bf345a13b1225bbb64b3990
SSDEEP

6144:AseFPcfIB+6+AVbYXkbv7xxfC0Gwxbr6hYYJu:/ChB+YVbYUbjxx60b

Score

10^/10

gozi 1010 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 1 IoCs

Processes:

Appxplua.exe

pid process

4384 Appxplua.exe

pid	process
4384	Appxplua.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\altsangs = "C:\\Users\\Admin\\AppData\\Roaming\\baseeMas\\Appxplua.exe"	a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1800 4384 WerFault.exe Appxplua.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Appxplua.exe

pid process

4384 Appxplua.exe
4384 Appxplua.exe

pid	pid_target	process	target process
1800	4384	WerFault.exe	Appxplua.exe

pid	process
4384	Appxplua.exe
4384	Appxplua.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.execmd.execmd.exeAppxplua.exe

description	pid	process	target process
PID 4708 wrote to memory of 4440	4708	a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe	cmd.exe
PID 4708 wrote to memory of 4440	4708	a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe	cmd.exe
PID 4708 wrote to memory of 4440	4708	a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe	cmd.exe
PID 4440 wrote to memory of 4280	4440	cmd.exe	cmd.exe
PID 4440 wrote to memory of 4280	4440	cmd.exe	cmd.exe
PID 4440 wrote to memory of 4280	4440	cmd.exe	cmd.exe
PID 4280 wrote to memory of 4384	4280	cmd.exe	Appxplua.exe
PID 4280 wrote to memory of 4384	4280	cmd.exe	Appxplua.exe
PID 4280 wrote to memory of 4384	4280	cmd.exe	Appxplua.exe
PID 4384 wrote to memory of 1868	4384	Appxplua.exe	svchost.exe
PID 4384 wrote to memory of 1868	4384	Appxplua.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe
"C:\Users\Admin\AppData\Local\Temp\a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FD12\FE89.bat" "C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\A9FFAE~1.EXE""
2⤵
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\A9FFAE~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
"C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe" "C:\Users\Admin\AppData\Local\Temp\A9FFAE~1.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 588
5⤵
- Program crash
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4384 -ip 4384
1⤵
PID:3732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FD12\FE89.bat
Filesize
112B

MD5
e985de6bae650d05b75c11ba5474b7e8

SHA1
c591a8dc5202db3b74b34ec11c9bfda754111be7

SHA256
95ef6c4550ef9938992d2bb18fc832df2f659726e1e0ac53009f34aec36b6f70

SHA512
26856447b7a53d2969f7aca4a0e88f467a02f50ded538bada361a7af4b4d3707e1027a54baf1809550e2a8b62ba982de90f666f8994c999b9f7d9b9ea633c665

Download Submit
C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
Filesize
493KB

MD5
02e4f7328ea0d24c85becbe13c13bacf

SHA1
5534138034a0e0eb0a183ec6143a6762cc27c4f9

SHA256
a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755

SHA512
d3db4ce11c19cce9cbf26624b865e729e6c00be4c1f32a3cb3e925a870b8e168d507f0d173e5996490316a4b720cf9dbc613f7668bf345a13b1225bbb64b3990

Download Submit
C:\Users\Admin\AppData\Roaming\baseeMas\Appxplua.exe
Filesize
493KB

MD5
02e4f7328ea0d24c85becbe13c13bacf

SHA1
5534138034a0e0eb0a183ec6143a6762cc27c4f9

SHA256
a9ffaed3f7276ab6d8472dc457a8d11698426da23d070d9651ce247f9eb33755

SHA512
d3db4ce11c19cce9cbf26624b865e729e6c00be4c1f32a3cb3e925a870b8e168d507f0d173e5996490316a4b720cf9dbc613f7668bf345a13b1225bbb64b3990

Download Submit
memory/4280-137-0x0000000000000000-mapping.dmp

Download
memory/4384-138-0x0000000000000000-mapping.dmp

Download
memory/4384-141-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4384-143-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download
memory/4440-135-0x0000000000000000-mapping.dmp

Download
memory/4708-132-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4708-134-0x00000000021D0000-0x0000000002200000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads