Overview

overview

10

Static

static

3

7665e79318...e6.exe

windows7-x64

10

7665e79318...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2023 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe

  • Size

    304KB

  • MD5

    a3f4c907a088c99a8b7bf5f4280d7d0c

  • SHA1

    9a9297bd0af1c008eb7477c1e310ce70c30c6d56

  • SHA256

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6

  • SHA512

    106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b

  • SSDEEP

    6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3784
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:2920
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3996
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
          "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2212
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>J878='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(J878).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F\\\MemoryMusic'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name tvkvjg -value gp; new-alias -name bhyejiyt -value iex; bhyejiyt ([System.Text.Encoding]::ASCII.GetString((tvkvjg "HKCU:Software\AppDataLow\Software\Microsoft\2D69E7DB-A838-E7C3-1AB1-5C0BEE75506F").LinkAbout))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2116
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\omj1n51v\omj1n51v.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4520
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD87E.tmp" "c:\Users\Admin\AppData\Local\Temp\omj1n51v\CSC59250DDE11740879AD1DB72830394C.TMP"
                5⤵
                  PID:1920
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yzlpf00h\yzlpf00h.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4312
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9C6.tmp" "c:\Users\Admin\AppData\Local\Temp\yzlpf00h\CSC9D2C4F21CA6F422DA2291FAAF6D35C13.TMP"
                  5⤵
                    PID:1508
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:956
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:3808
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:5012
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:5072

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Remote System Discovery

            1
            T1018

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\RESD87E.tmp
              Filesize

              1KB

              MD5

              6769d3c62ee712accbc829714a198aa3

              SHA1

              09c5069e3eb2dfa92a7555a535642600fec8672e

              SHA256

              811f43f84ca64ffe5117639eb3add8024c826fe8455884e1020de4505312edea

              SHA512

              a7777a3e085b0ad98b61286156750a2941750b39925495d49df55b698cbd1a81f692b8a245b5cd57e99c4e6c17c3164d280a42823a227f989d2e797b4f6acac8

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RESD9C6.tmp
              Filesize

              1KB

              MD5

              0b60ff5f8bfb2f23cc56ff8fddca7f19

              SHA1

              40827099607268042a6e788c74ba64f59e511ac4

              SHA256

              6335b5b974e621963ca04aa8ac966c999abaa21d652d103fced974e90cf2711a

              SHA512

              d37734155fb47877da6a9b16a47ea6f05812ae48c7caa6981759c34c3f7b84c98bd1cd6f89eafaa79d5bc6938c9029307ccb256fac14b7871115aaa4c0e00cad

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysvoqa5b.2cj.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\omj1n51v\omj1n51v.dll
              Filesize

              3KB

              MD5

              6392c6e61ec048f980476a91aa38a89c

              SHA1

              a7c641d0d32ea013536a78ac2b02d8d5f38e63bc

              SHA256

              d203251d1cf9ba64d5b8d0da2d435fe9937f2ea638282ab2907ee7892f5dec82

              SHA512

              81d88fdf7e9c1276d4f8a5907db5c3cb65717c5fc7d310ce585c675b79fbad09ad9142544350da263b3f82a192feffafc5683f40625a19129c4aa4c26fa60f84

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\yzlpf00h\yzlpf00h.dll
              Filesize

              3KB

              MD5

              37711384830023187a9095f937ae053a

              SHA1

              92afbcd22bcea92e03b4ada1db8c4b452424ef9c

              SHA256

              a2e8b06dde0ec10e7eb5fe44d978ad32c5bf6e039c50325e0b60629a3b7ace6a

              SHA512

              51f2d6f1c4c0a9809f58eaf21b271892c9e48eff82618e8cd4dfbbd542b3ca89b1bc0329da0b5a4e94c9eb480aa7782eca2502fa0b7164e6afa5a5723cd6409e

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\omj1n51v\CSC59250DDE11740879AD1DB72830394C.TMP
              Filesize

              652B

              MD5

              93d3225dafdddd5d2d87c21b6c5cb5df

              SHA1

              a45b4f34ebfb53786eb82fb62c5739dda8715d27

              SHA256

              4db0f9ef2c4138dd0791ae7cf4eb66b799729e7b3d030ccc6c4853f95687d53a

              SHA512

              a5ee6984c9137492f118ec4f3bc937741a9bca076f5b7f5b4d8ba27f55f5ecc3d1cff465fb26ca5af59ffa65597f62957b93687a4c5ff59d0b5a989484ac3c2c

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\omj1n51v\omj1n51v.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\omj1n51v\omj1n51v.cmdline
              Filesize

              369B

              MD5

              643de6f38e797b427a4ece9865da8e9f

              SHA1

              bdfe3750eafa39533b6998e01a2a99f67079abf6

              SHA256

              8b2825a6e3cb9147946b95811eec2ec0f2020a3c310235c14eb92de6fb8ca7b2

              SHA512

              da53df005206547d9e07ed08ddec28d5416997c06af24334234747ea4561c5a4775fbbeb6d1ac469ae8a4343f7039a15a4f413aa64df7ee5aa3bf1b7703fa070

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\yzlpf00h\CSC9D2C4F21CA6F422DA2291FAAF6D35C13.TMP
              Filesize

              652B

              MD5

              ac6ca9461d056eed804aafde5dc74a16

              SHA1

              26a48ab81b13344828e39401a6029b534d2ed80d

              SHA256

              d21815fe37fc185a7b0f5e00798a16e6f8292e41add94a2eeb4b7dc99831b345

              SHA512

              ead9623c421af7e84a6febd82730a553794020449865291236d7ce2d9e51960cfd29dd6d10910fa4bdc3b8fbf4688388b0e778128b1348e557e0a02c5b9730dd

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\yzlpf00h\yzlpf00h.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\yzlpf00h\yzlpf00h.cmdline
              Filesize

              369B

              MD5

              b03fc0706df83b7a9a81e5291c7fe10f

              SHA1

              de5f2410dbb5c0152a1d28e33939cdb97f95e499

              SHA256

              4275223090276516074c9f777e9f4e9f53f23eb9ff3b8ffb2829612737b8b176

              SHA512

              9deab9d2bae299c6c11cf319d5d956d0b6d978da455a39c83f21a20aff96d91cc3e2cc7b26a3e226ac8bae8860ab58f927ba9515c079b2a3291526fa571b0a75

              Download Submit
            • memory/764-59-0x0000000000830000-0x0000000000831000-memory.dmp
              Filesize

              4KB

              Download
            • memory/764-58-0x00000000083C0000-0x0000000008464000-memory.dmp
              Filesize

              656KB

              Download
            • memory/764-98-0x00000000083C0000-0x0000000008464000-memory.dmp
              Filesize

              656KB

              Download
            • memory/956-100-0x000001B963630000-0x000001B963631000-memory.dmp
              Filesize

              4KB

              Download
            • memory/956-120-0x000001B9637A0000-0x000001B963844000-memory.dmp
              Filesize

              656KB

              Download
            • memory/956-97-0x000001B9637A0000-0x000001B963844000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2116-56-0x00000239A3B20000-0x00000239A3B5D000-memory.dmp
              Filesize

              244KB

              Download
            • memory/2116-25-0x00007FFA96E60000-0x00007FFA97921000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/2116-54-0x00000239A3800000-0x00000239A3808000-memory.dmp
              Filesize

              32KB

              Download
            • memory/2116-20-0x000002398B200000-0x000002398B222000-memory.dmp
              Filesize

              136KB

              Download
            • memory/2116-40-0x000002398B1F0000-0x000002398B1F8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/2116-69-0x00007FFA96E60000-0x00007FFA97921000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/2116-70-0x00000239A3B20000-0x00000239A3B5D000-memory.dmp
              Filesize

              244KB

              Download
            • memory/2116-26-0x00000239A3810000-0x00000239A3820000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2116-27-0x00000239A3810000-0x00000239A3820000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2212-11-0x0000000001350000-0x000000000135D000-memory.dmp
              Filesize

              52KB

              Download
            • memory/2212-5-0x0000000000400000-0x000000000040F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/2212-0-0x0000000000FE0000-0x0000000000FEF000-memory.dmp
              Filesize

              60KB

              Download
            • memory/2212-1-0x0000000000FD0000-0x0000000000FDC000-memory.dmp
              Filesize

              48KB

              Download
            • memory/2920-86-0x00000292243D0000-0x00000292243D1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2920-117-0x0000029224C20000-0x0000029224CC4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2920-85-0x0000029224C20000-0x0000029224CC4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3784-73-0x000001677C360000-0x000001677C361000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3784-72-0x000001677C4E0000-0x000001677C584000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3784-105-0x000001677C4E0000-0x000001677C584000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3808-110-0x00000204525B0000-0x0000020452654000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3808-119-0x00000204525B0000-0x0000020452654000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3808-113-0x0000020452660000-0x0000020452661000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3996-111-0x0000020198CC0000-0x0000020198D64000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3996-79-0x0000020198C80000-0x0000020198C81000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3996-80-0x0000020198CC0000-0x0000020198D64000-memory.dmp
              Filesize

              656KB

              Download
            • memory/5012-106-0x0000000000960000-0x0000000000961000-memory.dmp
              Filesize

              4KB

              Download
            • memory/5012-104-0x0000000000D80000-0x0000000000E18000-memory.dmp
              Filesize

              608KB

              Download
            • memory/5012-115-0x0000000000D80000-0x0000000000E18000-memory.dmp
              Filesize

              608KB

              Download
            • memory/5072-118-0x000001D9BBCF0000-0x000001D9BBD94000-memory.dmp
              Filesize

              656KB

              Download
            • memory/5072-92-0x000001D9BBDA0000-0x000001D9BBDA1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/5072-91-0x000001D9BBCF0000-0x000001D9BBD94000-memory.dmp
              Filesize

              656KB

              Download