Overview

overview

10

Static

static

3

SecuriteIn...23.exe

windows7-x64

10

SecuriteIn...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.TrojanX-gen.25123.exe

  • Size

    293KB

  • MD5

    f4596eec21608b69a6410f3c1163f290

  • SHA1

    db1d45bdd0409d95f6d3b6084cad4e6fe90a3436

  • SHA256

    988ac9d35c37f6e957a5f292b871325fece89e106d4ac91d61d7ef5cd657ad8a

  • SHA512

    c8d70e20cb3db7f050a0cb75d9f4ae3099760507eb707951c602f2d2de6adb564f87425153c77cae5b465c5efa7f5b4b13be642f8c95c9e14ed2d007e29e8dce

  • SSDEEP

    3072:IvjRMbYbmYQDtBRd7QuszTc3iHjL1473r49ot:eWYaYQzRhSOuL1ik9o

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3672
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4900
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4068
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3100
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25123.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25123.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:984
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 460
            3⤵
            • Program crash
            PID:756
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>N1t0='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(N1t0).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\DD164BDA-982A-17AD-8A61-4C3B5E25409F\\\FolderOptions'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2244
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name hjdkty -value gp; new-alias -name crgtsfqxj -value iex; crgtsfqxj ([System.Text.Encoding]::ASCII.GetString((hjdkty "HKCU:Software\AppDataLow\Software\Microsoft\DD164BDA-982A-17AD-8A61-4C3B5E25409F").MelodyTool))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1340
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxyfnioo\rxyfnioo.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:768
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES877.tmp" "c:\Users\Admin\AppData\Local\Temp\rxyfnioo\CSCC83EFD36DCC34CBE83E1238627292675.TMP"
                5⤵
                  PID:628
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ussz5bu5\ussz5bu5.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:116
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BF.tmp" "c:\Users\Admin\AppData\Local\Temp\ussz5bu5\CSC73B3190BF8AD4D7B991CBC2DC23649E6.TMP"
                  5⤵
                    PID:2600
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25123.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1408
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:2880
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:4568
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:4800
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 984 -ip 984
              1⤵
                PID:3920

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RES877.tmp
                Filesize

                1KB

                MD5

                d48d4feb30fef98159d473486ffe27f2

                SHA1

                5f5dfa9c4adb818cf6b4f9c86007f0a3938ccd60

                SHA256

                2b984a1ff13cb32a36947ddd45a5a447ba9aecb9fb3050bc48b4fbeddd9fb441

                SHA512

                70dc0171452d373c55c12fe5582cec31a01d4ee6cc84107cb2ded293920b80c41109f1daa5934f0815b5b98eded339be3b7a570b36240263a8dd4e133ba13bc3

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES9BF.tmp
                Filesize

                1KB

                MD5

                66465ebfa2da3e5967f45dce354ef4ca

                SHA1

                2396ae0a9808ee5a087498adbb9a8855ca25a922

                SHA256

                c74e5e50aabe1f5d4295addb83c553063fc6b0d2c3805bc3fac6430561ed59df

                SHA512

                7c0c16409af9fe3914840aa6a82f825290bd77ad89b408ea23b7fe000527636af8e833910ed3e88576f9cd8ea3d9179d134fe222568aa14a50e6c1b3fd665832

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tnzlju20.cpw.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\rxyfnioo\rxyfnioo.dll
                Filesize

                3KB

                MD5

                aa82afed0da4abf6fdb18a5ca6792e98

                SHA1

                ce1e2a26e28a645aea9075604aa2ceda7a2c0d11

                SHA256

                ffdd0cd63c51594ba74d7527ec0ab7c1385a4c57101b04eb4bb64647d80c553c

                SHA512

                45a0e519661baf8fe73e287ad261a3668bacd7047ad3b748e25c864e6cb353605c1826cbb8f204b9ac2ca96d496c82e5febeb83df806c22eb862371969bbc63c

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\ussz5bu5\ussz5bu5.dll
                Filesize

                3KB

                MD5

                459f24b127125ad643d7e17334e88b57

                SHA1

                bbb75a1eb7589d9f615cdd30064929ed872c784d

                SHA256

                164226f332a110556f214f099d7ddb3569d4f88f6b95a0c2087749ddffccf73b

                SHA512

                3d509b46344858d0ac2f52de51bd6a30349f272c717180bd4d4f076c4a15a0aac3660c636c6706c1952429dd184dff675f51ed39c4673cdce2e8683035df9d42

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\rxyfnioo\CSCC83EFD36DCC34CBE83E1238627292675.TMP
                Filesize

                652B

                MD5

                07506dd975cdd96b31e5ed8a55d4120a

                SHA1

                d694e8567e6698add6973ea2a396ef76984a6646

                SHA256

                90a76f61ab2b2e101124c1af16da54e5d267929b14e93c972457f1b1bb1c5999

                SHA512

                1316bb1d02c122d0d241d5bc04762f83e0ae4df11f08add7d3bc70d857d33bdd6e8cafca5306f2107ec033eb993c50838bc3110fd036c23656b2d04fc55b3456

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\rxyfnioo\rxyfnioo.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\rxyfnioo\rxyfnioo.cmdline
                Filesize

                369B

                MD5

                2bc4e7cd708d5dd333f262d0e1a6f697

                SHA1

                351b8c79ed4405fbab947581871e3df8e05bf524

                SHA256

                571259f4f7d911cf9c00a677cf63898c884455dfff61827f56ef82447cb5d4b4

                SHA512

                abad7aa700abe09e8ec9322ec25decca50e896960582b6b123126b69a8d1bf65f330983df94161a80f8041a19ce150c78bcedfcab0bbdc6565adb18943d7cbd6

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ussz5bu5\CSC73B3190BF8AD4D7B991CBC2DC23649E6.TMP
                Filesize

                652B

                MD5

                857c7569c25c513997355f43b748e081

                SHA1

                f87a5dd997135e757b355b48bf03bd430324ff02

                SHA256

                40c337f201e9af73c8a14beff70bac33b41eba1edf3305e4111c079e212c2818

                SHA512

                5510c4462e6235979bab3dc02935cb2d1740ebc8b2389029f02478c71f01efb726d1bc6ed89432eb283b0c01ec52a696c31b5a803a9e33e3b01d139320bc6f48

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ussz5bu5\ussz5bu5.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\ussz5bu5\ussz5bu5.cmdline
                Filesize

                369B

                MD5

                3eecf0d39af0edb02520119ad52c44c0

                SHA1

                7d297ca408fa0a0409261bd928e2b0e078d87acc

                SHA256

                860247642bafc5d44a2a7d5d9f51855d236ff1f4936da201ce4c7a3c5e5a75e7

                SHA512

                342e2ce0340cc5e94a5e65e8fbc2e0814d2ef3bf631663561833ae9653db8278d7afb593a6cfdd1177373d8805a4d6dfb9dcf8dc19d15bf640f32a03c49335dc

                Download Submit
              • memory/984-113-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/984-1-0x0000000002330000-0x0000000002430000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/984-9-0x0000000003FD0000-0x0000000003FDB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/984-8-0x0000000002330000-0x0000000002430000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/984-7-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/984-4-0x0000000003FF0000-0x0000000003FFD000-memory.dmp
                Filesize

                52KB

                Download
              • memory/984-3-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/984-2-0x0000000003FD0000-0x0000000003FDB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/1340-37-0x00000160DC1D0000-0x00000160DC1D8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/1340-67-0x00000160F48E0000-0x00000160F491D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/1340-24-0x00000160F47C0000-0x00000160F47D0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1340-51-0x00000160F48D0000-0x00000160F48D8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/1340-23-0x00000160F47C0000-0x00000160F47D0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/1340-53-0x00000160F48E0000-0x00000160F491D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/1340-22-0x00007FFB8AD40000-0x00007FFB8B801000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1340-12-0x00000160DC1A0000-0x00000160DC1C2000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1340-66-0x00007FFB8AD40000-0x00007FFB8B801000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1408-118-0x000001BEFD0A0000-0x000001BEFD144000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1408-93-0x000001BEFD0A0000-0x000001BEFD144000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1408-96-0x000001BEFD150000-0x000001BEFD151000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2880-117-0x000001B931F70000-0x000001B932014000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2880-109-0x000001B931D10000-0x000001B931D11000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2880-107-0x000001B931F70000-0x000001B932014000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3100-56-0x0000000003230000-0x0000000003231000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3100-55-0x0000000008EF0000-0x0000000008F94000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3100-94-0x0000000008EF0000-0x0000000008F94000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3672-101-0x000001CF3DE00000-0x000001CF3DEA4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3672-70-0x000001CF3DBC0000-0x000001CF3DBC1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3672-69-0x000001CF3DE00000-0x000001CF3DEA4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4068-114-0x00000236D0870000-0x00000236D0914000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4068-74-0x00000236D0870000-0x00000236D0914000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4068-75-0x00000236D0830000-0x00000236D0831000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4568-104-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4568-100-0x0000000001080000-0x0000000001118000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4568-112-0x0000000001080000-0x0000000001118000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4800-87-0x0000029D9F680000-0x0000029D9F724000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4800-88-0x0000029D9F400000-0x0000029D9F401000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4800-119-0x0000029D9F680000-0x0000029D9F724000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4900-81-0x000001DF95A20000-0x000001DF95AC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4900-116-0x000001DF95A20000-0x000001DF95AC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4900-82-0x000001DF951C0000-0x000001DF951C1000-memory.dmp
                Filesize

                4KB

                Download