Overview

overview

10

Static

static

3

7665e79318...e6.exe

windows7-x64

10

7665e79318...e6.exe

windows10-1703-x64

10

7665e79318...e6.exe

windows10-2004-x64

10

Resubmissions

06-10-2023 00:32

231006-avxlbaac38 10

06-10-2023 00:31

231006-at7pwsgb5s 10

05-10-2023 16:10

231005-tmvxasec87 10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe

  • Size

    304KB

  • MD5

    a3f4c907a088c99a8b7bf5f4280d7d0c

  • SHA1

    9a9297bd0af1c008eb7477c1e310ce70c30c6d56

  • SHA256

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6

  • SHA512

    106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b

  • SSDEEP

    6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3680
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:2264
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3896
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
          "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:632
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dcfq='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dcfq).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2128
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jidsvqqivw -value gp; new-alias -name gotyhp -value iex; gotyhp ([System.Text.Encoding]::ASCII.GetString((jidsvqqivw "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:956
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q4jssumt\q4jssumt.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4828
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC479.tmp" "c:\Users\Admin\AppData\Local\Temp\q4jssumt\CSC5836D6DC4F9D40E69B20CAF1DAA39F86.TMP"
                5⤵
                  PID:4444
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4sbhjzqi\4sbhjzqi.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4504
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC553.tmp" "c:\Users\Admin\AppData\Local\Temp\4sbhjzqi\CSCBF95A36E3D9C41159230F9A67747185B.TMP"
                  5⤵
                    PID:4424
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4528
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:8
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:1860
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:2516

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\4sbhjzqi\4sbhjzqi.dll
              Filesize

              3KB

              MD5

              70c9707188888cf2d302dbb209fc035b

              SHA1

              291d9c4deee712ade5fce0be0f661d4fe0bd05f6

              SHA256

              78b288e80603ae5230337af2e1d625ae926688872bcdcc190c1a004a49b4fbe4

              SHA512

              2c7cd03b2caf9ac8a6a71b33d680bb455370744e3f8bd4d17878522bed371cc9e56b2a88bd1178ae622c05f47868ce7830c53e7f3e47494f7cb65504bf33fb85

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RESC479.tmp
              Filesize

              1KB

              MD5

              24df13745077aa6f441d30aa4fa0ba08

              SHA1

              c435c0fd707c93cc26d35c7cf2fb1a9a7b5dc813

              SHA256

              88ba6dce0718c4676d3e8fcc131f7781ea73c69e4bace1983af3e9d94028b2e5

              SHA512

              a6b34e741e5c4286e1a2d7fa27c9f54577752f9d1e78c084ea9141f18c42ee35873a214d66183800eba70ed05241c89322fac6d205d7ae9ee905c522c62fc65f

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RESC553.tmp
              Filesize

              1KB

              MD5

              d8fef2bc8db89cab63be9cc318e9f76b

              SHA1

              d6624073a1f3ec45290e59d69bad212af87b7d6e

              SHA256

              2bc0d642441b86cd1160a9ace681a88f52c7a261d13a4bfd534bed60c077dbcc

              SHA512

              a5ca6d2b97a0c12e6cca4633d92623440ceab7e35821ad87c8960a5549069bf89b1d9753de806723d3d3e9f5fc883c5cf5f9fd0cf88678ee61466ac8e01183e4

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1fcxhk0.ubd.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\q4jssumt\q4jssumt.dll
              Filesize

              3KB

              MD5

              635130a6480df94995e55ab0af5d4896

              SHA1

              69954ae6444b8a3f782fc835ebb5122548500b98

              SHA256

              d2e54d97647f1b7f3e8c20dd6a76b7a923d83d7650b8914ed863cfd111ba1a7c

              SHA512

              869369825f0acb441340ba0b367c448128dd7b7639dd1ae1cff00b7ac30483b84d51618ff1e4f55ed1e6ea7c1d9cfc0a4b8a9176f38549cee3c922ddf1456e24

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\4sbhjzqi\4sbhjzqi.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\4sbhjzqi\4sbhjzqi.cmdline
              Filesize

              369B

              MD5

              6c607e93ec9ad9b8459f174d357c459a

              SHA1

              b3f7cf756d4c2da5356cb0caa44c063166164b2d

              SHA256

              af5357a3a8001b38498c3810e6b2d782d556717ae0f38ab5c4f131cfe9f327f9

              SHA512

              1b4a4ba099454519aa103d30e2cb413660a74f370e14e66b75274b32d2d76c0bfebb6506d78b4b1be80831822fd6661720632a559dac4b5b9645ea4e41c9ab25

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\4sbhjzqi\CSCBF95A36E3D9C41159230F9A67747185B.TMP
              Filesize

              652B

              MD5

              49c402ca2a03fea6be589ee2d7cbdca7

              SHA1

              5c582171dd27a25247c75f89fdcf35cd03c20dd3

              SHA256

              80a40ed8ccf004565be0083084e43b47e838dd8227e10cbf22bf2724b47872b6

              SHA512

              d394eb63b0fe06532b557b9b63fd530b85f4f99fa59838664afbc3a7bd54176b32d79525281ecfdbf7cee92fd2230d7b75948514a51dc4cb98960bccf774f2b7

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\q4jssumt\CSC5836D6DC4F9D40E69B20CAF1DAA39F86.TMP
              Filesize

              652B

              MD5

              9423f3e81c8d11f833bfd7e67766e535

              SHA1

              6c0ff993b9f7e07fb120d7d336c7e9a24ab840bc

              SHA256

              c72bc3ec241d3f29d5ef7b9445c7c8d94f59c0b84b975a0aac33c64b9e0a22d2

              SHA512

              9b1ed5bc7680ea7949963b3d235192eae7b900026a850e0f2409bb420d46e7699cf1d4cf6bb176dd40eb81d962785cf80539e6cd9d9d6c4f6cb2b28f9a168cb8

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\q4jssumt\q4jssumt.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\q4jssumt\q4jssumt.cmdline
              Filesize

              369B

              MD5

              6e8759baadbae9cedfd6d9d1f9c9a651

              SHA1

              dc54612b47cf35918b46d4edfb4dab894400f701

              SHA256

              1b0d0bfa0986190dd9ee2281ea18df91fc3cccc668bfb7dd229fb3351c01908d

              SHA512

              e981b3c12b8244c1d05790fc55fb5157321f799dcb77be43d813d3c09a092d22f08e359b8cb6e44006fba23da7a6385994dabdc64dbadbccdeeea32a334b1f8b

              Download Submit
            • memory/8-117-0x00000289FA6B0000-0x00000289FA754000-memory.dmp
              Filesize

              656KB

              Download
            • memory/8-105-0x00000289FA550000-0x00000289FA551000-memory.dmp
              Filesize

              4KB

              Download
            • memory/8-104-0x00000289FA6B0000-0x00000289FA754000-memory.dmp
              Filesize

              656KB

              Download
            • memory/632-1-0x00000000012B0000-0x00000000012BF000-memory.dmp
              Filesize

              60KB

              Download
            • memory/632-11-0x0000000001320000-0x000000000132D000-memory.dmp
              Filesize

              52KB

              Download
            • memory/632-5-0x0000000000400000-0x000000000040F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/632-0-0x00000000012A0000-0x00000000012AC000-memory.dmp
              Filesize

              48KB

              Download
            • memory/956-69-0x00007FFBDAC30000-0x00007FFBDB6F1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/956-15-0x00000235A8390000-0x00000235A83B2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/956-40-0x00000235A83C0000-0x00000235A83C8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/956-56-0x00000235C0A80000-0x00000235C0ABD000-memory.dmp
              Filesize

              244KB

              Download
            • memory/956-26-0x00000235A8380000-0x00000235A8390000-memory.dmp
              Filesize

              64KB

              Download
            • memory/956-25-0x00007FFBDAC30000-0x00007FFBDB6F1000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/956-27-0x00000235A8380000-0x00000235A8390000-memory.dmp
              Filesize

              64KB

              Download
            • memory/956-70-0x00000235C0A80000-0x00000235C0ABD000-memory.dmp
              Filesize

              244KB

              Download
            • memory/956-54-0x00000235A83E0000-0x00000235A83E8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/1320-97-0x0000000008090000-0x0000000008134000-memory.dmp
              Filesize

              656KB

              Download
            • memory/1320-59-0x0000000000A70000-0x0000000000A71000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1320-58-0x0000000008090000-0x0000000008134000-memory.dmp
              Filesize

              656KB

              Download
            • memory/1860-114-0x0000000001260000-0x00000000012F8000-memory.dmp
              Filesize

              608KB

              Download
            • memory/1860-111-0x00000000009E0000-0x00000000009E1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1860-106-0x0000000001260000-0x00000000012F8000-memory.dmp
              Filesize

              608KB

              Download
            • memory/2264-116-0x0000028A34E70000-0x0000028A34F14000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2264-84-0x0000028A34E70000-0x0000028A34F14000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2264-85-0x0000028A34C60000-0x0000028A34C61000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2516-119-0x000001DF52340000-0x000001DF523E4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2516-89-0x000001DF52340000-0x000001DF523E4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/2516-90-0x000001DF51E20000-0x000001DF51E21000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3680-72-0x000001839D410000-0x000001839D4B4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3680-108-0x000001839D410000-0x000001839D4B4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3680-73-0x000001839ABF0000-0x000001839ABF1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3896-115-0x000001B63DBA0000-0x000001B63DC44000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3896-79-0x000001B63DB60000-0x000001B63DB61000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3896-78-0x000001B63DBA0000-0x000001B63DC44000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4528-95-0x0000016575BB0000-0x0000016575C54000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4528-101-0x0000016575920000-0x0000016575921000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4528-118-0x0000016575BB0000-0x0000016575C54000-memory.dmp
              Filesize

              656KB

              Download