gozi | 0f5cce66023859e9d7e3f54b78e95bf09618db5ed01fe05b765d76ab156271da

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2022 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

37KB
MD5

9676298f24c8cdd4b532ac027a00f60e
SHA1

8d0bd57712533f1a889627706925c17ed4347ce5
SHA256

0f5cce66023859e9d7e3f54b78e95bf09618db5ed01fe05b765d76ab156271da
SHA512

525b70896530a60cf58de64e8052ef2a8eb5ccc73d86fcd1f55d4850e682e3ff44c7ebc18ab029fc479b75a9a0083765c314c542b356d7ef8a7e7e493f13e7fd
SSDEEP

768:/QLm41fM01vAqyRrlpItKFyr8MS1g7/s1w70anLq:/L41fMSvXArbYVrO0/saLq

Score

10^/10

gozi 5 banker isfb trojan

Malware Config

Extracted

Family

gozi

Botnet

lentaphoto.at

iujdhsndjfks.ru

gameindikdowd.ru

jhgfdlkjhaoiu.su

Attributes

base_path
/uploaded/
build
250246
exe_type
loader
extension
.pct
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi

Botnet

lentaphoto.at

iujdhsndjfks.ru

gameindikdowd.ru

jhgfdlkjhaoiu.su

Attributes

base_path
/uploaded/
build
250246
exe_type
worker
extension
.pct
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation mshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	mshta.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4228 set thread context of 1084	4228	powershell.exe	Explorer.EXE
PID 1084 set thread context of 3508	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 set thread context of 3740	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 set thread context of 4648	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 set thread context of 4008	1084	Explorer.EXE	cmd.exe
PID 4008 set thread context of 4556	4008	cmd.exe	PING.EXE
PID 1084 set thread context of 3500	1084	Explorer.EXE	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4556 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4556 PING.EXE

pid	process
4556	PING.EXE

pid	process
4556	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

main.exepowershell.exeExplorer.EXE

pid	process
4944	main.exe
4944	main.exe
4228	powershell.exe
4228	powershell.exe
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

4228 powershell.exe
1084 Explorer.EXE
1084 Explorer.EXE
1084 Explorer.EXE
1084 Explorer.EXE
4008 cmd.exe
1084 Explorer.EXE

pid	process
4228	powershell.exe
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
1084	Explorer.EXE
4008	cmd.exe
1084	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeShutdownPrivilege	1084	Explorer.EXE
Token: SeCreatePagefilePrivilege	1084	Explorer.EXE
Token: SeShutdownPrivilege	1084	Explorer.EXE
Token: SeCreatePagefilePrivilege	1084	Explorer.EXE
Token: SeShutdownPrivilege	1084	Explorer.EXE
Token: SeCreatePagefilePrivilege	1084	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1084 Explorer.EXE

pid	process
1084	Explorer.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3416 wrote to memory of 4228	3416	mshta.exe	powershell.exe
PID 3416 wrote to memory of 4228	3416	mshta.exe	powershell.exe
PID 4228 wrote to memory of 1204	4228	powershell.exe	csc.exe
PID 4228 wrote to memory of 1204	4228	powershell.exe	csc.exe
PID 1204 wrote to memory of 3244	1204	csc.exe	cvtres.exe
PID 1204 wrote to memory of 3244	1204	csc.exe	cvtres.exe
PID 4228 wrote to memory of 996	4228	powershell.exe	csc.exe
PID 4228 wrote to memory of 996	4228	powershell.exe	csc.exe
PID 996 wrote to memory of 4668	996	csc.exe	cvtres.exe
PID 996 wrote to memory of 4668	996	csc.exe	cvtres.exe
PID 4228 wrote to memory of 1084	4228	powershell.exe	Explorer.EXE
PID 4228 wrote to memory of 1084	4228	powershell.exe	Explorer.EXE
PID 4228 wrote to memory of 1084	4228	powershell.exe	Explorer.EXE
PID 4228 wrote to memory of 1084	4228	powershell.exe	Explorer.EXE
PID 1084 wrote to memory of 3508	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3508	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 4008	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 4008	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 4008	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 3508	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3508	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3740	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3740	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3740	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 3740	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 4648	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 4648	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 4648	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 4648	1084	Explorer.EXE	RuntimeBroker.exe
PID 1084 wrote to memory of 4008	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 4008	1084	Explorer.EXE	cmd.exe
PID 4008 wrote to memory of 4556	4008	cmd.exe	PING.EXE
PID 4008 wrote to memory of 4556	4008	cmd.exe	PING.EXE
PID 4008 wrote to memory of 4556	4008	cmd.exe	PING.EXE
PID 4008 wrote to memory of 4556	4008	cmd.exe	PING.EXE
PID 4008 wrote to memory of 4556	4008	cmd.exe	PING.EXE
PID 1084 wrote to memory of 3500	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 3500	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 3500	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 3500	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 3500	1084	Explorer.EXE	cmd.exe
PID 1084 wrote to memory of 3500	1084	Explorer.EXE	cmd.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3508

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4944

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>D03n='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(D03n).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\51C98FB5-7C72-AB2B-0E15-700F2219A4B3\\\TypePack'));if(!window.flag)close()</script>"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vwoehytn -value gp; new-alias -name sxogiw -value iex; sxogiw ([System.Text.Encoding]::ASCII.GetString((vwoehytn "HKCU:Software\AppDataLow\Software\Microsoft\51C98FB5-7C72-AB2B-0E15-700F2219A4B3").VirtualWhite))
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqc0pj5w\wqc0pj5w.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6992.tmp" "c:\Users\Admin\AppData\Local\Temp\wqc0pj5w\CSCE0E47F3140F1453FB942649E8633FE.TMP"
5⤵
PID:3244

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g4yz3ulg\g4yz3ulg.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A6D.tmp" "c:\Users\Admin\AppData\Local\Temp\g4yz3ulg\CSC1B531F9EE47F45A8B7CEEC91AA512F2.TMP"
5⤵
PID:4668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\main.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4556

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:3500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4648

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6992.tmp
Filesize
1KB

MD5
af0d0eeafdf1e8f932b25f20344dbad7

SHA1
531cf800fb1b21d14e36b21b40835cc66103739e

SHA256
2060367006a04a9be7b9dae81e3c5a0e45d73f52a13b349e342b1e243ef70bd2

SHA512
591c5a088a20a8bc30c17b55eca6690a99cf603ad8d74c647befcff2b01b4879299f6457bf0d2b3e693bfc7cd6474bad002ebf9de4934979d13ccf32be8af132

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6A6D.tmp
Filesize
1KB

MD5
007ea5e941c24074b76ad45c7e364d34

SHA1
333c93cc6f7fff893b2adccc6e235ddc6a24abd1

SHA256
6f0a8a10dcc77b6995ef6ef8e86f0990e3f6a355a9b65309abd375189c0b33ec

SHA512
889774824610b5ea435fef6197143625f70b37aef0bf7c6d89224420020cf20ea83cb9534a5c25b7719cd834a7d12981b79647c318096a30e6cc2f8abb00f3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\g4yz3ulg\g4yz3ulg.dll
Filesize
3KB

MD5
4234e22e2bae89f64b923187f5734b62

SHA1
067de0ea7d10858d3d137e53eb486de8e831a89b

SHA256
0cbc160e22ccdc1375edc36a25a4b44bcfbb4313981776284101ceff925894bd

SHA512
a6061fbf8860615515a996dbe7aad4450747d93e4f5b120cf8ab8477e91bc85f018e8e3a24eb22f56aeb3fac54c150a0d04e7d88ae3cf68793b0bc4ade3bca63

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqc0pj5w\wqc0pj5w.dll
Filesize
3KB

MD5
ba8ff6055057a6f4e3b7226022c09687

SHA1
b36c591421286bb5f40299ea28ce535a7a76d20f

SHA256
adf02eb2256f14eb9128d49c4d5b52c53665fce03ca4ce267e023d7e0c802ab9

SHA512
218f432cbbdabf4a962bdd0d01883f51c4552d796054cac0c55e29be7cbda22d5ad9fad7403e167f71b006b400bea40aba2f8d27cdd63da01f7acef0c3d16fc0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g4yz3ulg\CSC1B531F9EE47F45A8B7CEEC91AA512F2.TMP
Filesize
652B

MD5
7ba068372537eb05004898ed589974f6

SHA1
60c88307979734b869515cd08e47af7669a48810

SHA256
74667b95f0f4344540f3c9abdd97f03d623ab196d5060285996541b5ed8188ee

SHA512
38e069229645bde7f764f46bc88462f23975533cb664c7a62e1c23a5f7c22676bbaafb94d1e981faa7c053c2faea0290518c21fc838c1c39460d6646b657593a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g4yz3ulg\g4yz3ulg.0.cs
Filesize
400B

MD5
f31a91cb873d422f30e84bfc6f0e4919

SHA1
87946e5b050bc8c66c9f04ebb9f82e210522d8ee

SHA256
91af8fc99b650c87f7c49faa1e0499f673e034ed712eb62782cfacbdf8329f84

SHA512
242e12d8c01ef5bf6866fc09bd8a4ab9fb6c7ea1ac4bead56610db30f15f0c7b38d7da8706ab4bb8ad5647d5b2ccfb9717b85324ca0099c6dcdd7fde13e5906b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g4yz3ulg\g4yz3ulg.cmdline
Filesize
369B

MD5
1379b550f897257adb4635bb8a1678b5

SHA1
2e9bf0e3de95ff9498268ebb31053587a1002c44

SHA256
634df9805c739d897529ac254c4821d5950ffa01fe9ad49c74d6ab1cb0f78d23

SHA512
321c93f1a4e021df87b2c075015f40845f704954f37ca4dbb7f0f7770cb6d98de24b33876b2343037b66e4ac03e03327f06d07d06b27804895a7058f11dc7fe7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqc0pj5w\CSCE0E47F3140F1453FB942649E8633FE.TMP
Filesize
652B

MD5
80ad41a139ea822ce86fe944b0458936

SHA1
c0eaac9ab3b626c4701d17bef80d3e6df02a7f3e

SHA256
33577dbe6ff7e6ec03f7c2c22e12f83324970356f64081b70f56e03a2d4a5d14

SHA512
dd04bb817bd08624935778185ec3da64e5739f02e478d4a9ca27db428624492d58fb388e7f393bf43833c6f8ec858bf3a563db310c8f7289dfae3a76efaead5a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqc0pj5w\wqc0pj5w.0.cs
Filesize
418B

MD5
19fd6f555ad7c58d574c00f46f087b02

SHA1
025ec4778721f20fdbff775edd2351baea93846c

SHA256
9d08df39ad05bd4a53f416ab8ef6a2fca313eb9a1498e451284b445bb1830dac

SHA512
188488549588e593523ddab3a8372d47e016841c3ce1594a456c0ac7c73763a3ae1e8a5fffdc7b6455bd869d0f6bdebd6b6bcb2aa6a6b4cf658231ce72dc40b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqc0pj5w\wqc0pj5w.cmdline
Filesize
369B

MD5
2e943d0de9f4037468d2e731faa50eca

SHA1
228278c99209c38c065086da07ffa0f006efcff5

SHA256
fd22c3e5cb26eabdf16204adaea75295c8301d0838a800a8cd631de4f19d6de2

SHA512
a417e201a3d201801bdb991367bd79e15034e25c752f9600788e43883d14095cbc6c052029d82a12f4f787d3fb6f80dc1585d5e48a3526f68651a4c1b10d009a

Download Submit
memory/996-146-0x0000000000000000-mapping.dmp

Download
memory/1084-167-0x0000000007BF0000-0x0000000007C93000-memory.dmp

Filesize
652KB

Download
memory/1084-159-0x0000000007BF0000-0x0000000007C93000-memory.dmp

Filesize
652KB

Download
memory/1204-139-0x0000000000000000-mapping.dmp

Download
memory/3244-142-0x0000000000000000-mapping.dmp

Download
memory/3500-164-0x0000000000A70000-0x0000000000B06000-memory.dmp

Filesize
600KB

Download
memory/3500-163-0x0000000000556B20-0x0000000000556B24-memory.dmp

Filesize
4B

Download
memory/3500-162-0x0000000000000000-mapping.dmp

Download
memory/3508-156-0x0000022737F20000-0x0000022737FC3000-memory.dmp

Filesize
652KB

Download
memory/3740-158-0x000001D91F4A0000-0x000001D91F543000-memory.dmp

Filesize
652KB

Download
memory/4008-166-0x0000022E1B560000-0x0000022E1B603000-memory.dmp

Filesize
652KB

Download
memory/4008-153-0x0000000000000000-mapping.dmp

Download
memory/4008-161-0x0000022E1B560000-0x0000022E1B603000-memory.dmp

Filesize
652KB

Download
memory/4228-154-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp

Filesize
10.8MB

Download
memory/4228-155-0x000001F7BDBE0000-0x000001F7BDC1D000-memory.dmp

Filesize
244KB

Download
memory/4228-136-0x0000000000000000-mapping.dmp

Download
memory/4228-137-0x000001F7A3350000-0x000001F7A3372000-memory.dmp

Filesize
136KB

Download
memory/4228-138-0x00007FFECE930000-0x00007FFECF3F1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-157-0x0000000000000000-mapping.dmp

Download
memory/4556-165-0x0000024B0E720000-0x0000024B0E7C3000-memory.dmp

Filesize
652KB

Download
memory/4648-160-0x00000212DFA40000-0x00000212DFAE3000-memory.dmp

Filesize
652KB

Download
memory/4668-149-0x0000000000000000-mapping.dmp

Download
memory/4944-132-0x0000000000570000-0x000000000057D000-memory.dmp

Filesize
52KB

Download