gozi | 5bba1e1dffcf2e5c44afab574c6d6e10910c84d7bb27e5add8eec9a08750ab4d

Analysis

max time kernel
157s
max time network
186s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:50

Target

x.dll
Size

334.3MB
MD5

c6be1be2ca62aa076f51d2a00097a7c3
SHA1

456d680c060c5c523302c02afe523c8f065f057c
SHA256

db8015d34f04842bb81fca9d3c22724f38b69d85919117569b3bbade3d96cc63
SHA512

82213aae9030025b64e3591de349a1522ac0a456b210a6aec7b3a73e9cc38ab9fb0ffbd15e6c1019dea738529dded5522ec04c348467a7d25e3e757e67a25bc3
SSDEEP

49152:8TtALAAAAAAAAP7AAAAAAAAAAM3AAAAAAfACziallWAAAA6AAAAAAAAAAAqAAAAP:SACg9tmG4dpr

Score

10^/10

Family

gozi

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

568 systeminfo.exe

pid	process
568	systeminfo.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.execmd.exe

description	pid	process	target process
PID 1244 wrote to memory of 268	1244	regsvr32.exe	cmd.exe
PID 1244 wrote to memory of 268	1244	regsvr32.exe	cmd.exe
PID 1244 wrote to memory of 268	1244	regsvr32.exe	cmd.exe
PID 268 wrote to memory of 568	268	cmd.exe	systeminfo.exe
PID 268 wrote to memory of 568	268	cmd.exe	systeminfo.exe
PID 268 wrote to memory of 568	268	cmd.exe	systeminfo.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\x.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\cmd.exe
cmd /c "systeminfo" >> C:\Users\Admin\AppData\Local\Temp\CC10.tmp
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:568

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/268-64-0x0000000000000000-mapping.dmp

Download
memory/568-65-0x0000000000000000-mapping.dmp

Download
memory/1244-54-0x000007FEFC071000-0x000007FEFC073000-memory.dmp

Filesize
8KB

Download
memory/1244-55-0x0000000180000000-0x0000000180014000-memory.dmp

Filesize
80KB

Download
memory/1244-59-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download