gozi | d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674

General

Target

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
Size

305KB
MD5

f4cdbef32c96169f9194b6b33b3f7c26
SHA1

53d0738923bcd20bddf9e280d281a81225378162
SHA256

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674
SHA512

de2ee95658cfe3dd78a688932dd140849b04b7f6da869294d486326a010ccb6137264a4f924f88b4c4e3c6584399aa869ef6ec912e1d54b87ca05b67b4f861b9
SSDEEP

6144:VId7WQ8X2rBWueOlQb2NOShT5RmUjD5uT:Vw7L+2rBWuFltF8UjD5uT

Score

10^/10

gozi 1010 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1010

C2

redwoodmotors.ru

pampers-globalworld.ru

pinkfloyd-mp3love.ru

sosandhelpconnect.ru

Attributes

exe_type
worker

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

628 cmd.exe

pid	process
628	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\FwReSCOM = "C:\\Windows\\system32\\appiroxy.exe"	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

Drops file in System32 directory 2 IoCs

Processes:

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

description	ioc	process
File created	C:\Windows\system32\appiroxy.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
File opened for modification	C:\Windows\system32\appiroxy.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exed5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

description	pid	process	target process
PID 1176 set thread context of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 576 set thread context of 1920	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exed5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

pid	process
1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1920 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

pid process

576 d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

pid	process
576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe
Token: 33	1948	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1948	AUDIODG.EXE
Token: 33	1948	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1948	AUDIODG.EXE
Token: SeShutdownPrivilege	1920	explorer.exe
Token: SeShutdownPrivilege	1920	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

explorer.exe

pid	process
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe
1920	explorer.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exed5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.execmd.exe

description	pid	process	target process
PID 1176 wrote to memory of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 1176 wrote to memory of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 1176 wrote to memory of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 1176 wrote to memory of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 1176 wrote to memory of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 1176 wrote to memory of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 1176 wrote to memory of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 1176 wrote to memory of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 1176 wrote to memory of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 1176 wrote to memory of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 1176 wrote to memory of 576	1176	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
PID 576 wrote to memory of 1920	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	explorer.exe
PID 576 wrote to memory of 1920	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	explorer.exe
PID 576 wrote to memory of 1920	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	explorer.exe
PID 576 wrote to memory of 1920	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	explorer.exe
PID 576 wrote to memory of 1920	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	explorer.exe
PID 576 wrote to memory of 1920	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	explorer.exe
PID 576 wrote to memory of 1920	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	explorer.exe
PID 576 wrote to memory of 628	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	cmd.exe
PID 576 wrote to memory of 628	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	cmd.exe
PID 576 wrote to memory of 628	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	cmd.exe
PID 576 wrote to memory of 628	576	d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe	cmd.exe
PID 628 wrote to memory of 1400	628	cmd.exe	attrib.exe
PID 628 wrote to memory of 1400	628	cmd.exe	attrib.exe
PID 628 wrote to memory of 1400	628	cmd.exe	attrib.exe
PID 628 wrote to memory of 1400	628	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1400 attrib.exe

pid	process
1400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
"C:\Users\Admin\AppData\Local\Temp\d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe
"C:\Users\Admin\AppData\Local\Temp\d5ebcdac450c9999ef7184481f729df0bb5babd9ae9fb62b7c6fdff02569a674.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7131429.bat" "C:\Users\Admin\AppData\Local\Temp\D5EBCD~1.EXE""
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\attrib.exe
attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\D5EBCD~1.EXE"
4⤵
- Views/modifies file attributes
PID:1400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x550
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7131429.bat
Filesize
72B

MD5
52e79bfc1e9b765489c384be21477c56

SHA1
1753be23b220defc13171b3d512a2b29d661b200

SHA256
8beae7eb8778a56ce491705cbe887507dd4cca91f27c65784a22fed26123db37

SHA512
d73ec29e56a21167944633e7389826fcd2489a15798bd23b2071c7317e7f2126786e913dda61bae0cc24880b577002802c0cf3423b87aa5933abbb68af5d3653

Download Submit
memory/576-69-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-65-0x0000000000401000-mapping.dmp

Download
memory/576-55-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-59-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-64-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-75-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-58-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-56-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-70-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/628-74-0x0000000000000000-mapping.dmp

Download
memory/1176-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1176-67-0x0000000000250000-0x0000000000279000-memory.dmp

Filesize
164KB

Download
memory/1400-77-0x0000000000000000-mapping.dmp

Download
memory/1920-78-0x0000000001B60000-0x0000000001BC2000-memory.dmp

Filesize
392KB

Download
memory/1920-73-0x000007FEFB371000-0x000007FEFB373000-memory.dmp

Filesize
8KB

Download
memory/1920-72-0x0000000001B60000-0x0000000001BC2000-memory.dmp

Filesize
392KB

Download
memory/1920-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads