gozi | 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745

General

Target

95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe
Size

721KB
MD5

241b27f617d5091e90fcdc80a7b73345
SHA1

310c218d7b10260edcab87b344e73b47717e0e59
SHA256

95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745
SHA512

a6a2d397fdd32143b984675e2a91a53f5c04e2b96035559e77b53d4125d6f7d0089dab6c5a0d11c44be54ee3cb3d225e6141b9907714643b69a904db04ce6f1a
SSDEEP

12288:jbvWtRlbbdWyQxz7fjEAikoynNPDXwli/1TPnKawfJQjGVN34Obd/LBkzIwO95Hm:jbvWtRldWyQJfjEAikowPDXwli/1TnfQ

Score

10^/10

gozi 1000 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

dipsitripsikey70.com/adwordsdata/dropbox/xxx

underbulletkey77.com/adwordsdata/dropbox/xxx

statisticaregger32.com/adwordsdata/dropbox/xxx

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

524 cmd.exe

pid	process
524	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dpmoprov = "C:\\Windows\\system32\\cmstwave.exe"	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe

Drops file in System32 directory 2 IoCs

Processes:

95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe

description	ioc	process
File created	C:\Windows\system32\cmstwave.exe	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe
File opened for modification	C:\Windows\system32\cmstwave.exe	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe

description	pid	process	target process
PID 1464 set thread context of 1324	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe

pid process

1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1324 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe

pid process

1464 95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe

pid	process
1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe

pid	process
1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe
Token: 33	1584	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1584	AUDIODG.EXE
Token: 33	1584	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1584	AUDIODG.EXE
Token: SeShutdownPrivilege	1324	explorer.exe
Token: SeShutdownPrivilege	1324	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

explorer.exe

pid	process
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

Processes:

explorer.exe

pid	process
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe
1324	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1324 explorer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.execmd.exe

description	pid	process	target process
PID 1464 wrote to memory of 1324	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	explorer.exe
PID 1464 wrote to memory of 1324	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	explorer.exe
PID 1464 wrote to memory of 1324	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	explorer.exe
PID 1464 wrote to memory of 1324	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	explorer.exe
PID 1464 wrote to memory of 1324	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	explorer.exe
PID 1464 wrote to memory of 1324	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	explorer.exe
PID 1464 wrote to memory of 1324	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	explorer.exe
PID 1464 wrote to memory of 524	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	cmd.exe
PID 1464 wrote to memory of 524	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	cmd.exe
PID 1464 wrote to memory of 524	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	cmd.exe
PID 1464 wrote to memory of 524	1464	95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe	cmd.exe
PID 524 wrote to memory of 240	524	cmd.exe	attrib.exe
PID 524 wrote to memory of 240	524	cmd.exe	attrib.exe
PID 524 wrote to memory of 240	524	cmd.exe	attrib.exe
PID 524 wrote to memory of 240	524	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

240 attrib.exe

pid	process
240	attrib.exe

C:\Users\Admin\AppData\Local\Temp\95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe
"C:\Users\Admin\AppData\Local\Temp\95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7098451.bat" "C:\Users\Admin\AppData\Local\Temp\95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\95b6b73aebb36e792f9a3f43954fcf0d7506dc4ff79548ab89a6970e9cbfb745.exe"
3⤵
- Views/modifies file attributes
PID:240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7098451.bat
Filesize
72B

MD5
6616957471465a332974f173a82596db

SHA1
e1402fdbcec36616139ca45ffbf0d56a47c80bb4

SHA256
7a7590e3513f4a56de8b4aa67bc0624eb322baaea2a4205cc29520f458bea6c2

SHA512
56824f1e5f57da2dab5b06a7ab07f4924588999dc37ade23ce6f5ac99c63bcb0d0c84e801141db69c853a4be7d07c14b28660cb5564395da6b765c42dec83ab6

Download Submit
memory/240-63-0x0000000000000000-mapping.dmp

Download
memory/524-61-0x0000000000000000-mapping.dmp

Download
memory/1324-58-0x0000000000000000-mapping.dmp

Download
memory/1324-59-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download
memory/1324-60-0x0000000000330000-0x00000000003AF000-memory.dmp

Filesize
508KB

Download
memory/1324-64-0x0000000000330000-0x00000000003AF000-memory.dmp

Filesize
508KB

Download
memory/1464-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1464-55-0x0000000000400000-0x0000000000693000-memory.dmp

Filesize
2.6MB

Download
memory/1464-57-0x00000000002B0000-0x00000000002B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads