Overview

overview

10

Static

static

3

SecuriteIn...23.exe

windows7-x64

10

SecuriteIn...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.TrojanX-gen.25123.exe

  • Size

    293KB

  • MD5

    f4596eec21608b69a6410f3c1163f290

  • SHA1

    db1d45bdd0409d95f6d3b6084cad4e6fe90a3436

  • SHA256

    988ac9d35c37f6e957a5f292b871325fece89e106d4ac91d61d7ef5cd657ad8a

  • SHA512

    c8d70e20cb3db7f050a0cb75d9f4ae3099760507eb707951c602f2d2de6adb564f87425153c77cae5b465c5efa7f5b4b13be642f8c95c9e14ed2d007e29e8dce

  • SSDEEP

    3072:IvjRMbYbmYQDtBRd7QuszTc3iHjL1473r49ot:eWYaYQzRhSOuL1ik9o

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3832
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25123.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25123.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1508
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1428
        3⤵
        • Program crash
        PID:4428
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Xl32='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Xl32).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name mwykvbw -value gp; new-alias -name vncxkvhg -value iex; vncxkvhg ([System.Text.Encoding]::ASCII.GetString((mwykvbw "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1kozm3kd\1kozm3kd.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3124
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES314C.tmp" "c:\Users\Admin\AppData\Local\Temp\1kozm3kd\CSC5D96618E91A04890AEF8D19B4A5B5499.TMP"
            5⤵
              PID:2036
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kfha5uzq\kfha5uzq.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1360
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES337F.tmp" "c:\Users\Admin\AppData\Local\Temp\kfha5uzq\CSCA2D1782647F245E19ADA1D1E5E19C12.TMP"
              5⤵
                PID:1100
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25123.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:500
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2160
        • C:\Windows\syswow64\cmd.exe
          "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
          2⤵
            PID:2444
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
          • Modifies registry class
          PID:668
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:4916
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3656
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1508 -ip 1508
              1⤵
                PID:4424

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Remote System Discovery

              1
              T1018

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\1kozm3kd\1kozm3kd.dll
                Filesize

                3KB

                MD5

                0632e52174a30c174a2907e621925d8a

                SHA1

                af428628cde25c6c0d6970c25e7f7571d0138737

                SHA256

                6e592ac8dc6bb4117430d3dec5866cdeee7c56049dc7f13e39ad433f3d1e52e3

                SHA512

                06d32805fd578f844862835f8e60ce96324e17aa2fc4bbb0f8341498f9011939b99f1a314bb73f3bbb503a681f4b508202aeedb6d5506450028b99ee02da6e79

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES314C.tmp
                Filesize

                1KB

                MD5

                e2823d9e983ce93281e1b2b68515df17

                SHA1

                ca447fd7028d1b412e3487c059fb0bcd000dc7d5

                SHA256

                b9ad76a70e06bb7b194bd1315f9385d779be4750c51727ad5a00359f290ff068

                SHA512

                2cf454107a26cedd06f392dbe345c35f1d33461379f56163857a24ae2f68db9b1997e54b7cfc9ca8bc048a7de58633e854f507a1fd0357787f58645d0559c593

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES337F.tmp
                Filesize

                1KB

                MD5

                19152becdaad63bec35b59d888231443

                SHA1

                3ede39cd89fd719ab1c79972f5848231b4ecbf19

                SHA256

                cae43d01524e1980c55ecd60baebb2e5008aa0590d27ae201a434792bb01b048

                SHA512

                d0911757d83334ce8429ea3ec346b51048514e657e1d0b8c4da3706ce658af9b80810450514ff270f94a91e41552df6b23e88a00954509fe370c2044a8095ddb

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rrutefuw.fi0.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\kfha5uzq\kfha5uzq.dll
                Filesize

                3KB

                MD5

                382e32475c5a8c7f3f8971c58bb8229d

                SHA1

                42c002b0e8a63e9336b70a1d493475d1ddca6a4e

                SHA256

                dc5f7626b309c312089b6eed73b65a5635adac990b5c03c140b218537e004390

                SHA512

                15babf3702202973d1d83ae6a75f7452759805af30050c26d3e998f329ad3cd04c6a8554c8cf7b70daca71611baecc2490e487a99ae7299ffe00a603a0449653

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\1kozm3kd\1kozm3kd.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\1kozm3kd\1kozm3kd.cmdline
                Filesize

                369B

                MD5

                ad408926e3fe34cb7d9ad777c7faddf9

                SHA1

                e35024f9e975f75708d1e6019777fb1c3903cc66

                SHA256

                36bebceb77b0323996f1101b69f637b043b68046ec428d66e9a82ffd37cf66a2

                SHA512

                ad675cbb45275baeeaf1392ad81617a0b08de87d07919d19531bcae97cd6a1685ae7f16c008bb9962e00f23fccac87d474d01f070ecedc32074c91e011dbe999

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\1kozm3kd\CSC5D96618E91A04890AEF8D19B4A5B5499.TMP
                Filesize

                652B

                MD5

                7e2a957c8c24daee3c2ea84113ce610e

                SHA1

                fced0d5e908d7f70dd1a2d8eade5bb92eb4bed6b

                SHA256

                fb7ba705cc2eddebe44a0c229c7c4a8c173b3661d79d52401ef405af4db10f06

                SHA512

                9adc2aa3e0b10024c8f42521f221daf6a377d739c2ddcaad9c2a430cf33680b86ab14b88b64f0e4b90e1d443ed1fa11116213f4aa2eaa3da96e26ed729e00e2d

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\kfha5uzq\CSCA2D1782647F245E19ADA1D1E5E19C12.TMP
                Filesize

                652B

                MD5

                81b0bac51a3dd1e32aded04a275cd6ff

                SHA1

                ac35fa7854e3cf870f70c383bdfb5b96f48afc55

                SHA256

                d84af3844eefaec5ec901cb0fbf086ce3c7265f1d51940d3cac4b80f1b74f142

                SHA512

                380b98fb9ea0aaf916b4eb616a31c8efaa83b9e37de9b7269c388a6add4d163b8f2706c9b450d958df88eba962d1d1d673ccc4f7a6426d50048902e817d006f5

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\kfha5uzq\kfha5uzq.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\kfha5uzq\kfha5uzq.cmdline
                Filesize

                369B

                MD5

                1fbab078e2aeea80737969ecf1bc9797

                SHA1

                b9149e7998d7a5d82204afdf770070d79b5c92e1

                SHA256

                84520d8d80ca2f2ca408f451aea24161083f1360426568330734b06a1d742b21

                SHA512

                6329a24b334c5b82a08a63f6beed25402c3821844fb04a5dfdb0dccb8e4295fb2b0f3d17e41c4c42382c38b54196e7e5432d61090173f01b45f72525b4e8608f

                Download Submit
              • memory/500-97-0x0000020495160000-0x0000020495161000-memory.dmp
                Filesize

                4KB

                Download
              • memory/500-118-0x00000204950B0000-0x0000020495154000-memory.dmp
                Filesize

                656KB

                Download
              • memory/500-94-0x00000204950B0000-0x0000020495154000-memory.dmp
                Filesize

                656KB

                Download
              • memory/668-87-0x000001B8A79E0000-0x000001B8A79E1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/668-119-0x000001B8A7D40000-0x000001B8A7DE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/668-86-0x000001B8A7D40000-0x000001B8A7DE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1508-2-0x0000000002360000-0x000000000236B000-memory.dmp
                Filesize

                44KB

                Download
              • memory/1508-7-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/1508-4-0x0000000004040000-0x000000000404D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/1508-3-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/1508-116-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/1508-8-0x0000000002390000-0x0000000002490000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/1508-9-0x0000000002360000-0x000000000236B000-memory.dmp
                Filesize

                44KB

                Download
              • memory/1508-1-0x0000000002390000-0x0000000002490000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/2160-117-0x000001C8ED9D0000-0x000001C8EDA74000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2160-107-0x000001C8ED860000-0x000001C8ED861000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2160-104-0x000001C8ED9D0000-0x000001C8EDA74000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2444-113-0x0000000000B40000-0x0000000000BD8000-memory.dmp
                Filesize

                608KB

                Download
              • memory/2444-105-0x0000000000700000-0x0000000000701000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2444-100-0x0000000000B40000-0x0000000000BD8000-memory.dmp
                Filesize

                608KB

                Download
              • memory/3172-95-0x0000000009120000-0x00000000091C4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3172-57-0x00000000013C0000-0x00000000013C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3172-54-0x0000000009120000-0x00000000091C4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3656-114-0x000001969EDD0000-0x000001969EE74000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3656-75-0x000001969ED90000-0x000001969ED91000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3656-73-0x000001969EDD0000-0x000001969EE74000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3832-101-0x00000268098C0000-0x0000026809964000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3832-69-0x0000026809390000-0x0000026809391000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3832-68-0x00000268098C0000-0x0000026809964000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4544-23-0x00000145B6CD0000-0x00000145B6CE0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4544-66-0x00007FFE72100000-0x00007FFE72BC1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4544-55-0x00000145B7100000-0x00000145B713D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4544-50-0x00000145B70F0000-0x00000145B70F8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4544-36-0x00000145B6CC0000-0x00000145B6CC8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4544-18-0x00000145B6C50000-0x00000145B6C72000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4544-22-0x00007FFE72100000-0x00007FFE72BC1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4916-80-0x00000176D5B40000-0x00000176D5B41000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4916-79-0x00000176D5D60000-0x00000176D5E04000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4916-115-0x00000176D5D60000-0x00000176D5E04000-memory.dmp
                Filesize

                656KB

                Download