Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40.exe

  • Size

    293KB

  • MD5

    01435632dca9afc151eec77862bfbc2b

  • SHA1

    9bbb4ae83131fafcd14d580810b14f48d2d30837

  • SHA256

    2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40

  • SHA512

    61e542b6413381f6c4d0f7e08154d7d6dbe44fe9879788b1b6a3d2b32c51ce93dc0a18ac5efb87a6a91292e95c97dd15eaf50c109f869f1acfee6087c10fd677

  • SSDEEP

    3072:28g/bYYX0XH1anZAsaA6eRESzHxHH3zt8l7Mjd1i0ot:DyYa0XUZdaAnEqHxn3R82i0o

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3716
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3096
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3936
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3212
        • C:\Users\Admin\AppData\Local\Temp\2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40.exe
          "C:\Users\Admin\AppData\Local\Temp\2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4752
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 472
            3⤵
            • Program crash
            PID:4848
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gqrg='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gqrg).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4732
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name iegtjq -value gp; new-alias -name fsmunu -value iex; fsmunu ([System.Text.Encoding]::ASCII.GetString((iegtjq "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2744
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g2b0nuez\g2b0nuez.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4920
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES19AD.tmp" "c:\Users\Admin\AppData\Local\Temp\g2b0nuez\CSC3808A33A33048D0B5203E9CF2DB7C6C.TMP"
                5⤵
                  PID:3404
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\orc5po4n\orc5po4n.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4636
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AD6.tmp" "c:\Users\Admin\AppData\Local\Temp\orc5po4n\CSC37D9AADD8992405EB52D4457E7A9B5.TMP"
                  5⤵
                    PID:4196
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\2adca18a6ba459e5325ce934d473c08a411ae5b8049ca4c37ea9b300553b1f40.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4364
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:4908
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:3280
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:1412
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4752 -ip 4752
              1⤵
                PID:2944

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RES19AD.tmp
                Filesize

                1KB

                MD5

                626aa029ecd31edb56041b88dbfcfcb1

                SHA1

                7ebb9ba9cef085bcc87b39c19cc5bb4955d2c377

                SHA256

                e340054dedbec902cdcfeb3387407fec6cd696e96045ad899ad299dd9be66bba

                SHA512

                8ff383765026a66d1fd0354a1cf8ed78b9cdff656e58aaffebf68ab67fd67e03a5cddeb675a94315078328109f451ff48d9db5849f607ea6ae0965f8c32762fb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RES1AD6.tmp
                Filesize

                1KB

                MD5

                d4fdb668029e40a6402e28acd9c459b2

                SHA1

                4207f86ec9cbed90c14c1d588896a70800f46097

                SHA256

                6e57a3d3c8deca0e5a39ee83ba05dd2317748d70e23eafb8498d01e5a010590a

                SHA512

                0a420667c4cb7fbeb7649d70c1a2c2e40b94b2936566ce9062943a567e10a149c859e52159089dc1f7cd815535dd0755a46b492bfa5fce06eb65ef08d8d44a5a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvfecmtj.5wr.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\g2b0nuez\g2b0nuez.dll
                Filesize

                3KB

                MD5

                d7a0eaed4bd16ed27aa61c1866018f70

                SHA1

                1433157d15218421731cc0490c2a84fe626e9eab

                SHA256

                23bf689ee9ab010a37fc4b48191b5eb8fd5a9525ed6ec1070d77ddc99b5ea973

                SHA512

                6dc4c53ac23e12f0756c082a0a93cd8e0a0d19e1f6d16b59abacc0a65b62f02c1cb0c9c96647ae2b97ce5395ee5814781ec1808ed6b643bb61375810daed6075

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\orc5po4n\orc5po4n.dll
                Filesize

                3KB

                MD5

                34e849e9ae1ea52b51c6fa543fd90cc2

                SHA1

                79cb046dd87512084db2d93b0461567f4a2a3926

                SHA256

                aed72afaafa20126d1431de7aba0c3aae749608afab89d894294bac9cdfe8dd2

                SHA512

                f9e12866ab5c4722e16262580dd246d0a06c6fa77fe6598b4328ebbe98c3a27b7e9bc45d50f9e54699a6eace13cf315e95081805dd5f7ae885bb8880031480a1

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\g2b0nuez\CSC3808A33A33048D0B5203E9CF2DB7C6C.TMP
                Filesize

                652B

                MD5

                75cb6bad091d50c625e4162d6438a096

                SHA1

                fd5a7474392d47eb67869b4f6c5924ae53f65f61

                SHA256

                fbc78ccc2012ff7485f5f19abadbc61c16ef7d7ff5d031e7df52c8633e544e36

                SHA512

                88fa00d55be8ef2bf7d807488f3c307e5fe6801c64266649d47cdec9b8cbe1e8a423b38dd25a717e3af0ee1af0598f145444780c27bb486f35f4232975786d2b

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\g2b0nuez\g2b0nuez.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\g2b0nuez\g2b0nuez.cmdline
                Filesize

                369B

                MD5

                2e0c735863a4bdd9ddbf1052271af370

                SHA1

                07ab40423ee904c3f1bab819e0d9d12ad3b54919

                SHA256

                4e9a615d760491ceb574faf2555d0c277da7d41766d79f33991b2c3f4851f338

                SHA512

                beb39de84586aab9c7c3637fbb37fa982694a6b33889f1487d2561e97f6af0c9a1a91d295a5408d5aa43d3df9fc7df17a4fb31151c68c2defe08016c5811345e

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\orc5po4n\CSC37D9AADD8992405EB52D4457E7A9B5.TMP
                Filesize

                652B

                MD5

                5c98ad3c0bb67b5df2e5fed356958f43

                SHA1

                0a41f5cf648986d6f19000023990987dd808153c

                SHA256

                2572dfc9001f6c463f402a7b6b06a9f2c4d84c35a78b0e7c85039010663f7e9c

                SHA512

                8d9752005a5d54ba942ad772fdeec3eaf990296d7e90fcc8bc46c9ac1f7cf0d06b7d954968abc45c302e5cd82eaa4c67864f7aaf99158db7c3d2f341f07e6c21

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\orc5po4n\orc5po4n.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\orc5po4n\orc5po4n.cmdline
                Filesize

                369B

                MD5

                5a479be1440a30355099ba3b2f983176

                SHA1

                d76f582c642425d10abafe245a2c90ef55f14536

                SHA256

                18915cadf38cbae57777e51ddc484277465a1dff1dada2cbde561cd8861f47db

                SHA512

                656573498eba7ed3959a8484d6397eef7f1e8f98d1915bee9cc133520e5e2f5241762585f9d1ab7ecbf09444240ff66be42d6b62c851a202485342eb2758a58f

                Download Submit

              • memory/1412-94-0x000002ACF9920000-0x000002ACF99C4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/1412-118-0x000002ACF9920000-0x000002ACF99C4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/1412-95-0x000002ACF98E0000-0x000002ACF98E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2744-38-0x000001D1FDED0000-0x000001D1FDED8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2744-52-0x000001D1FE450000-0x000001D1FE458000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2744-68-0x000001D1FE460000-0x000001D1FE49D000-memory.dmp

                Filesize

                244KB

                Download

              • memory/2744-67-0x00007FFE902C0000-0x00007FFE90D81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2744-25-0x000001D1FDEE0000-0x000001D1FDEF0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2744-54-0x000001D1FE460000-0x000001D1FE49D000-memory.dmp

                Filesize

                244KB

                Download

              • memory/2744-24-0x00007FFE902C0000-0x00007FFE90D81000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2744-14-0x000001D1FDF20000-0x000001D1FDF42000-memory.dmp

                Filesize

                136KB

                Download

              • memory/3096-89-0x0000014BAF680000-0x0000014BAF681000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3096-117-0x0000014BAF890000-0x0000014BAF934000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3096-83-0x0000014BAF890000-0x0000014BAF934000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3212-102-0x0000000008EF0000-0x0000000008F94000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3212-56-0x0000000008EF0000-0x0000000008F94000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3212-57-0x0000000001300000-0x0000000001301000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3280-107-0x0000000000E30000-0x0000000000E31000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3280-105-0x0000000000E90000-0x0000000000F28000-memory.dmp

                Filesize

                608KB

                Download

              • memory/3280-111-0x0000000000E90000-0x0000000000F28000-memory.dmp

                Filesize

                608KB

                Download

              • memory/3716-71-0x000002009CFC0000-0x000002009CFC1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3716-70-0x000002009DE40000-0x000002009DEE4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3716-112-0x000002009DE40000-0x000002009DEE4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3936-77-0x0000029F64260000-0x0000029F64261000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3936-76-0x0000029F642A0000-0x0000029F64344000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3936-114-0x0000029F642A0000-0x0000029F64344000-memory.dmp

                Filesize

                656KB

                Download

              • memory/4364-84-0x0000019198220000-0x0000019198221000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4364-82-0x0000019198370000-0x0000019198414000-memory.dmp

                Filesize

                656KB

                Download

              • memory/4364-116-0x0000019198370000-0x0000019198414000-memory.dmp

                Filesize

                656KB

                Download

              • memory/4752-4-0x0000000002410000-0x000000000241D000-memory.dmp

                Filesize

                52KB

                Download

              • memory/4752-7-0x0000000002420000-0x0000000002520000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4752-1-0x0000000002420000-0x0000000002520000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4752-3-0x0000000000400000-0x000000000228F000-memory.dmp

                Filesize

                30.6MB

                Download

              • memory/4752-2-0x00000000023F0000-0x00000000023FB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/4752-8-0x0000000000400000-0x000000000228F000-memory.dmp

                Filesize

                30.6MB

                Download

              • memory/4752-9-0x00000000023F0000-0x00000000023FB000-memory.dmp

                Filesize

                44KB

                Download

              • memory/4908-103-0x000001A3DE5C0000-0x000001A3DE5C1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4908-101-0x000001A3DE7A0000-0x000001A3DE844000-memory.dmp

                Filesize

                656KB

                Download

              • memory/4908-115-0x000001A3DE7A0000-0x000001A3DE844000-memory.dmp

                Filesize

                656KB

                Download