gozi | ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea

General

Target

ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe
Size

361KB
MD5

0f4a6d7ab535e9354fde86800e3b3739
SHA1

76b1f3c52206aa92df7bfe9e0846a07adb700106
SHA256

ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea
SHA512

444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60
SSDEEP

6144:4IVQv0y3NRJO22A8oos+W0OBMgxDy1+yAD20GvPYE8a:RVQvBNfORjVOB7xDQ1AD20GXYEZ

Score

10^/10

gozi 1010 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 1 IoCs

Processes:

clbtext.exe

pid process

840 clbtext.exe
Deletes itself 1 IoCs

Processes:

clbtext.exe

pid process

840 clbtext.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

792 cmd.exe

pid	process
840	clbtext.exe

pid	process
840	clbtext.exe

pid	process
792	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\comrdisc = "C:\\Users\\Admin\\AppData\\Roaming\\dskqroxy\\clbtext.exe"	ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

clbtext.exesvchost.exe

description	pid	process	target process
PID 840 set thread context of 1816	840	clbtext.exe	svchost.exe
PID 1816 set thread context of 1288	1816	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

clbtext.exeExplorer.EXE

pid process

840 clbtext.exe
1288 Explorer.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

clbtext.exesvchost.exe

pid process

840 clbtext.exe
1816 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Explorer.EXE

description pid process

Token: SeShutdownPrivilege 1288 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE
1288 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1288 Explorer.EXE

pid	process
840	clbtext.exe
1288	Explorer.EXE

pid	process
1288	Explorer.EXE

pid	process
840	clbtext.exe
1816	svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1288	Explorer.EXE

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
1288	Explorer.EXE
1288	Explorer.EXE

pid	process
1288	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.execmd.execmd.execlbtext.exesvchost.exe

description	pid	process	target process
PID 836 wrote to memory of 1488	836	ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe	cmd.exe
PID 836 wrote to memory of 1488	836	ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe	cmd.exe
PID 836 wrote to memory of 1488	836	ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe	cmd.exe
PID 836 wrote to memory of 1488	836	ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe	cmd.exe
PID 1488 wrote to memory of 792	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 792	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 792	1488	cmd.exe	cmd.exe
PID 1488 wrote to memory of 792	1488	cmd.exe	cmd.exe
PID 792 wrote to memory of 840	792	cmd.exe	clbtext.exe
PID 792 wrote to memory of 840	792	cmd.exe	clbtext.exe
PID 792 wrote to memory of 840	792	cmd.exe	clbtext.exe
PID 792 wrote to memory of 840	792	cmd.exe	clbtext.exe
PID 840 wrote to memory of 1816	840	clbtext.exe	svchost.exe
PID 840 wrote to memory of 1816	840	clbtext.exe	svchost.exe
PID 840 wrote to memory of 1816	840	clbtext.exe	svchost.exe
PID 840 wrote to memory of 1816	840	clbtext.exe	svchost.exe
PID 840 wrote to memory of 1816	840	clbtext.exe	svchost.exe
PID 840 wrote to memory of 1816	840	clbtext.exe	svchost.exe
PID 840 wrote to memory of 1816	840	clbtext.exe	svchost.exe
PID 1816 wrote to memory of 1288	1816	svchost.exe	Explorer.EXE
PID 1816 wrote to memory of 1288	1816	svchost.exe	Explorer.EXE
PID 1816 wrote to memory of 1288	1816	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Users\Admin\AppData\Local\Temp\ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe
"C:\Users\Admin\AppData\Local\Temp\ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5840\10.bat" "C:\Users\Admin\AppData\Roaming\dskqroxy\clbtext.exe" "C:\Users\Admin\AppData\Local\Temp\AD4721~1.EXE""
3⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\dskqroxy\clbtext.exe" "C:\Users\Admin\AppData\Local\Temp\AD4721~1.EXE""
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Roaming\dskqroxy\clbtext.exe
"C:\Users\Admin\AppData\Roaming\dskqroxy\clbtext.exe" "C:\Users\Admin\AppData\Local\Temp\AD4721~1.EXE"
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5840\10.bat
Filesize
108B

MD5
305c47a45d2fdcdf9f4480cdfdac4fae

SHA1
306027ea73108afed4c2a58c30d4b8b2aeb73b1a

SHA256
b9f18b5ba21bb57f7ef9a5bb86b3284f6a1220fcbb6699d0fc1af3a980f16d2e

SHA512
d483161ad9c0948609de7863b66d83417f222fbe482ae25cdc3b087c3865333d8ec586ee81eebca06534596b274c58a53a8373e777df92917b6d2daa5cbfdaeb

Download Submit
C:\Users\Admin\AppData\Roaming\dskqroxy\clbtext.exe
Filesize
361KB

MD5
0f4a6d7ab535e9354fde86800e3b3739

SHA1
76b1f3c52206aa92df7bfe9e0846a07adb700106

SHA256
ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea

SHA512
444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60

Download Submit
C:\Users\Admin\AppData\Roaming\dskqroxy\clbtext.exe
Filesize
361KB

MD5
0f4a6d7ab535e9354fde86800e3b3739

SHA1
76b1f3c52206aa92df7bfe9e0846a07adb700106

SHA256
ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea

SHA512
444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60

Download Submit
\Users\Admin\AppData\Roaming\dskqroxy\clbtext.exe
Filesize
361KB

MD5
0f4a6d7ab535e9354fde86800e3b3739

SHA1
76b1f3c52206aa92df7bfe9e0846a07adb700106

SHA256
ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea

SHA512
444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60

Download Submit
memory/792-60-0x0000000000000000-mapping.dmp

Download
memory/836-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/836-55-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/836-57-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/840-63-0x0000000000000000-mapping.dmp

Download
memory/840-66-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/840-67-0x00000000003B0000-0x00000000003E0000-memory.dmp

Filesize
192KB

Download
memory/840-70-0x00000000003B0000-0x00000000003E0000-memory.dmp

Filesize
192KB

Download
memory/1288-73-0x0000000002B60000-0x0000000002BD5000-memory.dmp

Filesize
468KB

Download
memory/1288-74-0x0000000002B60000-0x0000000002BD5000-memory.dmp

Filesize
468KB

Download
memory/1488-58-0x0000000000000000-mapping.dmp

Download
memory/1816-69-0x0000000000000000-mapping.dmp

Download
memory/1816-71-0x0000000000190000-0x0000000000205000-memory.dmp

Filesize
468KB

Download
memory/1816-72-0x0000000000190000-0x0000000000205000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads