Overview

overview

10

Static

static

3

SecuriteIn...23.exe

windows7-x64

10

SecuriteIn...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.TrojanX-gen.25123.exe

  • Size

    293KB

  • MD5

    f4596eec21608b69a6410f3c1163f290

  • SHA1

    db1d45bdd0409d95f6d3b6084cad4e6fe90a3436

  • SHA256

    988ac9d35c37f6e957a5f292b871325fece89e106d4ac91d61d7ef5cd657ad8a

  • SHA512

    c8d70e20cb3db7f050a0cb75d9f4ae3099760507eb707951c602f2d2de6adb564f87425153c77cae5b465c5efa7f5b4b13be642f8c95c9e14ed2d007e29e8dce

  • SSDEEP

    3072:IvjRMbYbmYQDtBRd7QuszTc3iHjL1473r49ot:eWYaYQzRhSOuL1ik9o

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3840
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4868
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3684
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3204
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25123.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25123.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2656
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 472
            3⤵
            • Program crash
            PID:840
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tilv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tilv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9\\\MemoryLocal'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name aovltqc -value gp; new-alias -name mcvwbmthse -value iex; mcvwbmthse ([System.Text.Encoding]::ASCII.GetString((aovltqc "HKCU:Software\AppDataLow\Software\Microsoft\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9").ProcessActive))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3976
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iueeosa4\iueeosa4.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3736
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES211F.tmp" "c:\Users\Admin\AppData\Local\Temp\iueeosa4\CSCB17F5A79530C4270A14E283DC037A50.TMP"
                5⤵
                  PID:3064
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\agjxtvz0\agjxtvz0.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4192
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2268.tmp" "c:\Users\Admin\AppData\Local\Temp\agjxtvz0\CSCE4F7BCD55FB0456580B9FDE74353215B.TMP"
                  5⤵
                    PID:3784
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25123.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3860
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:816
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:4980
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:1412
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2656 -ip 2656
              1⤵
                PID:3572

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RES211F.tmp
                Filesize

                1KB

                MD5

                ef25666e07709109602716aee8b186b9

                SHA1

                1120798d25a52751801e2c8fa1367bf55c59f8fe

                SHA256

                8953cb6a652e1f042717f3a93209cd5d529adf72459b1bfba7742fcc12b383f1

                SHA512

                7714fc4a9e0ee3573835be04671feb104ef778af655048ef64c59810905f3ac1a283e004477fd6a72bf2f62e7fbc272d556af26e1f135789db368342c081b958

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES2268.tmp
                Filesize

                1KB

                MD5

                2756178ac97691a106c22b256c99e83e

                SHA1

                705e887deda4fe27a243ca393b1d73188811d0b8

                SHA256

                79b7750757e1550a872c5716e9031dfaa69310a30e815105e7baeb4aacd4b4d1

                SHA512

                508641e0c57a2d0043a47922ebe114e675c14571f3856e62a343bd880bdb23e77888df9ec5195cb845701d1f62de58663c11b11ac8345b0f6ee97bd09b9ace44

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j5li2x5v.i20.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\agjxtvz0\agjxtvz0.dll
                Filesize

                3KB

                MD5

                ef9ede2142ab5100b2e1126051eccf3e

                SHA1

                b3fa04338477c17e48a4ec1e4b628224df410f4e

                SHA256

                0c4c569df24d888c7f40b9277b459101a5ec93bcaf98ce90e731bc73ee715bd3

                SHA512

                a1e918d47a16794a74240cbad835004ccf60a67aea3ec5a99d8d7775565cd0d100d97647db30e1938d48897adc8ce601813670c6f122ecaca99a58f6bd6a3e48

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\iueeosa4\iueeosa4.dll
                Filesize

                3KB

                MD5

                7f0fc756e586554798fde4df220fdeaa

                SHA1

                5d5152515686d5910bf56220c90dd0473f8d86c0

                SHA256

                6fcbf990cf87c7e7698438df018b89dd8f40b9cef8813b5a556eb888ade0a26e

                SHA512

                f7c20e72d8c4cce7adf0f0f99d40d56d9d0e1c03a62ff19aacf99be1fd2cb14a7949c97cc6c6048be199ec79b14578faf2777e03d184e5ef43fb010e18f1822e

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\agjxtvz0\CSCE4F7BCD55FB0456580B9FDE74353215B.TMP
                Filesize

                652B

                MD5

                ad284afc0302acac5ae0991e842da572

                SHA1

                3f967b7ee56720b62def560f955476e604f9a6eb

                SHA256

                7f2ad8eaeba47c000baf45683e4a870484cf5dad2fa3bc62fef854ea67e43ecb

                SHA512

                9eb6dbf02d0397fe30c1f6d7cf29f952d8e21ab71b11b3ef9a8fcd7dd021fadbedd67c8bf609faad190ebbd02ea33050b56f0e82bdae047429713d4ccc4f3e82

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\agjxtvz0\agjxtvz0.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\agjxtvz0\agjxtvz0.cmdline
                Filesize

                369B

                MD5

                d18cd6a775cb9bd5279227b974e939e8

                SHA1

                6fdda176865fb36405e301f77b759f2ce0bf0ad3

                SHA256

                c51782dd34fbcce6dd4f1f5af922a8888dbbc0a9e9e9fa72e99b514275935d66

                SHA512

                d43d784833bf1f512778504e9bbc073dcc356bd669ae1b6c4e0fa395e091a5a1e370cededb8280f8fb466193b3b98c2f5cffb2e437ada924265477aa5a6003f5

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\iueeosa4\CSCB17F5A79530C4270A14E283DC037A50.TMP
                Filesize

                652B

                MD5

                24c017175e28617139b0a69e52be8205

                SHA1

                10b1ff05bf49d578231c3fe8e48318db5f7a5976

                SHA256

                ac8ac7a6ca4a7cc3c1a6a5cf9e0e97e7e47af7a069265a387203617da7930bcb

                SHA512

                73aa8369ef282ed06101bf673aeecc481a337c19498c13b63765355b6f4342086bb6409d5e20fd2ad19ae05219aa479cde8618a1a2303c98acf9cb9911424467

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\iueeosa4\iueeosa4.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\iueeosa4\iueeosa4.cmdline
                Filesize

                369B

                MD5

                5458a1fb030eed1777f493b9ab4ff7aa

                SHA1

                597bd30dfd16adf2afeebb74faf452c7c04a41b5

                SHA256

                e7cceffea6adabcc3211ff06abacc34a0ec4a6147e167e24d7010e72e4734b8d

                SHA512

                152c1577476c496884ac68351366e036b927128ae9edffabb5c1a174e891426d46e8f7a4ab209ef1a63c3b1d0adad7b78d0f77510c4d36a70e6f4c5a689bda62

                Download Submit
              • memory/816-103-0x00000171B5180000-0x00000171B5181000-memory.dmp
                Filesize

                4KB

                Download
              • memory/816-99-0x00000171B52E0000-0x00000171B5384000-memory.dmp
                Filesize

                656KB

                Download
              • memory/816-113-0x00000171B52E0000-0x00000171B5384000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1412-116-0x00000175D0770000-0x00000175D0814000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1412-87-0x00000175D0770000-0x00000175D0814000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1412-90-0x00000175D0820000-0x00000175D0821000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2656-9-0x00000000023F0000-0x00000000023FB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/2656-7-0x0000000002460000-0x0000000002560000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/2656-4-0x0000000002410000-0x000000000241D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/2656-3-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/2656-8-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/2656-2-0x00000000023F0000-0x00000000023FB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/2656-111-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/2656-1-0x0000000002460000-0x0000000002560000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/3204-55-0x0000000001120000-0x0000000001121000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3204-101-0x00000000092D0000-0x0000000009374000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3204-54-0x00000000092D0000-0x0000000009374000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3684-74-0x000002B6A08C0000-0x000002B6A0964000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3684-75-0x000002B6A0880000-0x000002B6A0881000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3684-112-0x000002B6A08C0000-0x000002B6A0964000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3840-68-0x00000242D30B0000-0x00000242D3154000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3840-69-0x00000242D3160000-0x00000242D3161000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3840-110-0x00000242D30B0000-0x00000242D3154000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3860-114-0x00000209C2F20000-0x00000209C2FC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3860-85-0x00000209C2F20000-0x00000209C2FC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3860-86-0x00000209C2FD0000-0x00000209C2FD1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3976-50-0x000001DAC3090000-0x000001DAC3098000-memory.dmp
                Filesize

                32KB

                Download
              • memory/3976-22-0x00007FFA74350000-0x00007FFA74E11000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3976-52-0x000001DAC32C0000-0x000001DAC32FD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/3976-36-0x000001DAAAA80000-0x000001DAAAA88000-memory.dmp
                Filesize

                32KB

                Download
              • memory/3976-17-0x000001DAAAA30000-0x000001DAAAA52000-memory.dmp
                Filesize

                136KB

                Download
              • memory/3976-23-0x000001DAC2F60000-0x000001DAC2F70000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3976-65-0x00007FFA74350000-0x00007FFA74E11000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3976-66-0x000001DAC32C0000-0x000001DAC32FD000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4868-81-0x0000027F73BC0000-0x0000027F73BC1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4868-79-0x0000027F74420000-0x0000027F744C4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4868-115-0x0000027F74420000-0x0000027F744C4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4980-109-0x00000000016B0000-0x0000000001748000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4980-106-0x0000000001320000-0x0000000001321000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4980-100-0x00000000016B0000-0x0000000001748000-memory.dmp
                Filesize

                608KB

                Download