Analysis

  • max time kernel
    77s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 04:02

General

  • Target

    ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe

  • Size

    361KB

  • MD5

    0f4a6d7ab535e9354fde86800e3b3739

  • SHA1

    76b1f3c52206aa92df7bfe9e0846a07adb700106

  • SHA256

    ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea

  • SHA512

    444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60

  • SSDEEP

    6144:4IVQv0y3NRJO22A8oos+W0OBMgxDy1+yAD20GvPYE8a:RVQvBNfORjVOB7xDQ1AD20GXYEZ

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

diuolirt.at

deopliazae.at

nifredao.com

filokiyurt.at

Attributes
  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe
    "C:\Users\Admin\AppData\Local\Temp\ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B606\DB13.bat" "C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe" "C:\Users\Admin\AppData\Local\Temp\AD4721~1.EXE""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C ""C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe" "C:\Users\Admin\AppData\Local\Temp\AD4721~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4108
        • C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe
          "C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe" "C:\Users\Admin\AppData\Local\Temp\AD4721~1.EXE"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4824
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3544
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 584
              5⤵
              • Program crash
              PID:404
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4824 -ip 4824
      1⤵
        PID:3580

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\B606\DB13.bat
        Filesize

        112B

        MD5

        b7ebdc609e15cfcc90ac7305c5bc9323

        SHA1

        3ec613d518af880289b5950226b06c308261b6ea

        SHA256

        6bc46da3c5e3a567a743e66c2b46a041fd1490608fca08caa941d4139af2f050

        SHA512

        d707608b0447ac0ab756a276d5a888b6ed1049925967abde5b2cfa0ad39e4b0af2a595636351ac91ceeed30377e0240f4848ae1f1f307ff5df912b76dfe6ddd2

      • C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe
        Filesize

        361KB

        MD5

        0f4a6d7ab535e9354fde86800e3b3739

        SHA1

        76b1f3c52206aa92df7bfe9e0846a07adb700106

        SHA256

        ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea

        SHA512

        444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60

      • C:\Users\Admin\AppData\Roaming\AppVider\Authbk32.exe
        Filesize

        361KB

        MD5

        0f4a6d7ab535e9354fde86800e3b3739

        SHA1

        76b1f3c52206aa92df7bfe9e0846a07adb700106

        SHA256

        ad4721ceb5253c80c117ec3a65509ebbae07d4accf3689deab6644ad7b6096ea

        SHA512

        444ab8f85683512430626f96b4d1f9e168360b05241604e962078f088a5092b2b1e6d2512dd561b9d6d727af140207d668b88eb998508faeed1c3f46ecb51a60

      • memory/2148-132-0x0000000000400000-0x000000000045D000-memory.dmp
        Filesize

        372KB

      • memory/2148-134-0x0000000000720000-0x0000000000750000-memory.dmp
        Filesize

        192KB

      • memory/2488-135-0x0000000000000000-mapping.dmp
      • memory/4108-137-0x0000000000000000-mapping.dmp
      • memory/4824-138-0x0000000000000000-mapping.dmp
      • memory/4824-141-0x0000000000400000-0x000000000045D000-memory.dmp
        Filesize

        372KB

      • memory/4824-143-0x00000000005D0000-0x0000000000600000-memory.dmp
        Filesize

        192KB