Overview

overview

10

Static

static

7e7e6b550a...fa.exe

windows7-x64

10

7e7e6b550a...fa.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 12:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e7e6b550a1cc8625016814e24780eabf42b96a6e9c7914a051631579c8ab9fa.exe

  • Size

    318KB

  • MD5

    46942efbb2747e803d2932fc79cf0a25

  • SHA1

    f6587858ec53242f603d4f61e9f61705ad9f226e

  • SHA256

    7e7e6b550a1cc8625016814e24780eabf42b96a6e9c7914a051631579c8ab9fa

  • SHA512

    fe3e9eaae8a4b7f9d524fde2f947157dff4307601358d612e8e3be5f18997db14569825cb52c4b2b3299f4567cc905ab1c58978b266903722e687f04cf1c7f8b

  • SSDEEP

    6144:H9NX1icUq9uT3LngX1O28KS4xQ0ys8DP1LR1DLO9k80PCpCos8IGH14jlCqZgc:dNX1pUbLC1ZTS4xgnNDL3apC78IG8lCe

Score
10/10
gozi1001bankerisfbpersistenceransomwaretrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1001

C2

redwoodmotors.ru

pampers-globalworld.ru

pinkfloyd-mp3love.ru

sosandhelpconnect.ru
Attributes
  • build

    213425

  • exe_type

    worker

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e7e6b550a1cc8625016814e24780eabf42b96a6e9c7914a051631579c8ab9fa.exe
    "C:\Users\Admin\AppData\Local\Temp\7e7e6b550a1cc8625016814e24780eabf42b96a6e9c7914a051631579c8ab9fa.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      2⤵
      • Modifies Installed Components in the registry
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:832
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\EE43.bat" "C:\Users\Admin\AppData\Local\Temp\7E7E6B~1.EXE""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Windows\SysWOW64\attrib.exe
        attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\7E7E6B~1.EXE"
        3⤵
        • Views/modifies file attributes
        PID:1968
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x554
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1072

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EE43.bat
    Filesize

    72B

    MD5

    f33aeec3fa2200f27a49713b180c63ed

    SHA1

    e2b8535d2b9b03ff25fd4fdc7de8a0077cc1d0d8

    SHA256

    42e3e654b43e4e99964b9ced509ad15d78fac6bf3f0ed273f04f26bf969885ea

    SHA512

    a2872f42b6a8cc2abb789bc64eccbefe167cc31cd6e82b7667615600c81a4e1a59cd90e8ead6b9008c6566784e1cc3b7aef2023ba43c285648d6411de71e5dcb

    Download Submit
  • memory/588-59-0x0000000000000000-mapping.dmp
    Download
  • memory/832-55-0x0000000000000000-mapping.dmp
    Download
  • memory/832-58-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/832-63-0x0000000001B10000-0x0000000001B78000-memory.dmp
    Filesize

    416KB

    Download
  • memory/832-64-0x0000000002D70000-0x0000000002D80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1352-54-0x0000000075091000-0x0000000075093000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1352-56-0x0000000000240000-0x000000000027A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1352-57-0x0000000000400000-0x0000000000905000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1352-62-0x0000000000400000-0x0000000000905000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1968-61-0x0000000000000000-mapping.dmp
    Download