Overview

overview

10

Static

static

3

7665e79318...e6.exe

windows7-x64

10

7665e79318...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    270s
  • max time network
    269s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2023 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe

  • Size

    304KB

  • MD5

    a3f4c907a088c99a8b7bf5f4280d7d0c

  • SHA1

    9a9297bd0af1c008eb7477c1e310ce70c30c6d56

  • SHA256

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6

  • SHA512

    106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b

  • SSDEEP

    6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

http://igrovdow.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3728
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4744
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4024
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3164
        • C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
          "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5112
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Pweb='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Pweb).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name hiksokun -value gp; new-alias -name sjsejcdbag -value iex; sjsejcdbag ([System.Text.Encoding]::ASCII.GetString((hiksokun "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4464
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\td1xyj5p\td1xyj5p.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2192
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6F.tmp" "c:\Users\Admin\AppData\Local\Temp\td1xyj5p\CSCE3B19DB2A5DA449BA45F40A814BCBE0.TMP"
                5⤵
                  PID:984
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t1e2qaka\t1e2qaka.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:4388
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF5.tmp" "c:\Users\Admin\AppData\Local\Temp\t1e2qaka\CSCF871521A2788495999D93BA66DD6E920.TMP"
                  5⤵
                    PID:3644
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4940
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:220
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:4100
              • C:\Windows\system32\taskmgr.exe
                "C:\Windows\system32\taskmgr.exe" /4
                2⤵
                • Checks SCSI registry key(s)
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:2096
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:4636
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
              1⤵
                PID:1152
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4032

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Peripheral Device Discovery

              1
              T1120

              Remote System Discovery

              1
              T1018

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RESC6F.tmp
                Filesize

                1KB

                MD5

                be130597afabff3d99fe068bbcc6922f

                SHA1

                f72b22a0adceb7eba42d52a9744b7eea8d916b59

                SHA256

                0310c0d8c5df5223b8f12a79305d1e3f1c195135368b122b2d836c77f80490ce

                SHA512

                85bae221f164781b45e284946c1dd8c846dfb47c39ad4e75085e18f60500dc8507cba3abbf5268bb99ed2b9d6eaea249fd1a43fb964190d6b69f744c3f26aef3

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RESDF5.tmp
                Filesize

                1KB

                MD5

                9e8f03b4b26335a6b10dd5fbefa8cabd

                SHA1

                189749ec8d157bfa40d360d92ff8b1f887122626

                SHA256

                530757b69243c5e1c27a739227448503b27dcac6577f72279f3f87c66f140c38

                SHA512

                018ca5575d742dc06f65bc02fbb0b0bfdfbca9be372789af5e1e4f29a49919c0bcfb062329c88ec7af972b63f3c1d719affa9346745148604eb5826097e6afb7

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cclm13la.0jw.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\t1e2qaka\t1e2qaka.dll
                Filesize

                3KB

                MD5

                446b719ab82cc16635f633709e413107

                SHA1

                3dfae0f306241df89626e23ae3f0ac9f8b45d28a

                SHA256

                c5852efb3ff4dd1d91b2d43879a2f971bff19cfdf113dccaab1c052c462440eb

                SHA512

                02823f49f4b448b2f5b8405b36350a590e9b3eeff3a7fdc7d1f8ae09a3f4aaa6813c14ca6d67320d7c48946c327645d5111cd20c5ac5351738fcec2d87c7c588

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\td1xyj5p\td1xyj5p.dll
                Filesize

                3KB

                MD5

                0a451399d748682a0e636e3b841572e4

                SHA1

                692997dd8fa225c7f98cc20748029149dd987dae

                SHA256

                5cbb1bce3b5cbc95317a1109a88730fc634f2caefdf4a7647e49bf7529328843

                SHA512

                fa80beeb0fa855ce45f774573abaa18b9b9edbad81478d4add92d997409d2c0e2ecfda2bf31dbca0bfa7f0d3b6a8319ce6a23fab70e2dde116b2299742377857

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\t1e2qaka\CSCF871521A2788495999D93BA66DD6E920.TMP
                Filesize

                652B

                MD5

                5b9850f425643ec9f7b5e128118debcf

                SHA1

                02cb71b2ff3ea13e7fe4e0c39ede60658325bd23

                SHA256

                e17287c14d4eda48ab194bbf7cd1519b0195d899cbb0458a0456312f5d432d71

                SHA512

                e4dbb19a0470cdb5e1812c94ac444e4011be2658c5004120639e0766f1270003ffd12e646c901e399ebf8d07993bd434bc50bf001d26d2c33001777bc5d9bfb5

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\t1e2qaka\t1e2qaka.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\t1e2qaka\t1e2qaka.cmdline
                Filesize

                369B

                MD5

                01d66fca303acfd4fab3e15965f90a07

                SHA1

                21ae884ee365efb5158c10f4911e9f3984b72a0d

                SHA256

                f595afa4fac262a29747120989fd640615c4d90afe1a1d88e216ec8f92ab9f6c

                SHA512

                52102a03b0aadfa7cedb9ce99e4f3368d1a27f6ffc7af4ba6085bd7b65d6051815e36560e217d6cfbe650dd86587f3acf4d67d46664f767ca4cda0b46b038dc2

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\td1xyj5p\CSCE3B19DB2A5DA449BA45F40A814BCBE0.TMP
                Filesize

                652B

                MD5

                2f49b77afa96d7a4e5e3570afd7effc9

                SHA1

                d6348097a34f9e31cbe18bb08de7cc51cc06b954

                SHA256

                3cbae5b5c1f90a4f783b09e35532c2a3724abfb32c10b8cb79f4fbec04381e8a

                SHA512

                7f93093a51248f5635ff97a734f6629841ca53722f8d5837fad6891b060467468065553129420bcd26c42c55a705e0cf0b1528d6bb9aa5b2fb5460feb5f060e1

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\td1xyj5p\td1xyj5p.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\td1xyj5p\td1xyj5p.cmdline
                Filesize

                369B

                MD5

                dba56eb1c969538bd102cacd3c233e9e

                SHA1

                7815fb72c9a02857317707ffba123dab60babb67

                SHA256

                9c8d71d02b5ecb2cbe78c0266fe0baa2138ed241b93b9b776bd6fd033caa9193

                SHA512

                3123a2e98e0a61aa7c96517e42ccb7a3d92777fc30c3b1ef291a24555da6bcd12999e14896ef166b0ecc045b130da38f625778db1d8d40e529a24e61e5c95e6d

                Download Submit
              • memory/220-109-0x00000297595F0000-0x0000029759694000-memory.dmp
                Filesize

                656KB

                Download
              • memory/220-110-0x00000297594B0000-0x00000297594B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/220-117-0x00000297595F0000-0x0000029759694000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2096-126-0x0000028773F20000-0x0000028773F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2096-136-0x0000028773F20000-0x0000028773F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2096-132-0x0000028773F20000-0x0000028773F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2096-138-0x0000028773F20000-0x0000028773F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2096-140-0x000002876DE20000-0x000002876DEC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2096-127-0x0000028773F20000-0x0000028773F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2096-133-0x0000028773F20000-0x0000028773F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2096-122-0x000002876DED0000-0x000002876DED1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2096-137-0x0000028773F20000-0x0000028773F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2096-135-0x0000028773F20000-0x0000028773F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2096-121-0x000002876DE20000-0x000002876DEC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/2096-134-0x0000028773F20000-0x0000028773F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2096-128-0x0000028773F20000-0x0000028773F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3164-98-0x0000000008EE0000-0x0000000008F84000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3164-58-0x0000000008EE0000-0x0000000008F84000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3164-59-0x0000000000D70000-0x0000000000D71000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3728-72-0x0000018582B20000-0x0000018582BC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3728-112-0x0000018582B20000-0x0000018582BC4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3728-73-0x00000185827B0000-0x00000185827B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4024-115-0x000002B37F740000-0x000002B37F7E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4024-79-0x000002B37F700000-0x000002B37F701000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4024-78-0x000002B37F740000-0x000002B37F7E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4032-141-0x000001BD47D90000-0x000001BD47DA0000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4100-105-0x0000000001550000-0x0000000001551000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4100-102-0x00000000017C0000-0x0000000001858000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4100-107-0x00000000017C0000-0x0000000001858000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4464-70-0x000001F9E8700000-0x000001F9E873D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4464-69-0x00007FFBD3DF0000-0x00007FFBD48B1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4464-56-0x000001F9E8700000-0x000001F9E873D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4464-54-0x000001F9E86F0000-0x000001F9E86F8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4464-40-0x000001F9E86D0000-0x000001F9E86D8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4464-27-0x000001F9E8570000-0x000001F9E8580000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4464-26-0x000001F9E8570000-0x000001F9E8580000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4464-25-0x00007FFBD3DF0000-0x00007FFBD48B1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4464-24-0x000001F9E8580000-0x000001F9E85A2000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4636-90-0x000002EC114C0000-0x000002EC114C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4636-119-0x000002EC11940000-0x000002EC119E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4636-89-0x000002EC11940000-0x000002EC119E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4744-85-0x000001A84AD50000-0x000001A84AD51000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4744-116-0x000001A84AF60000-0x000001A84B004000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4744-83-0x000001A84AF60000-0x000001A84B004000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4940-118-0x000001FD440C0000-0x000001FD44164000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4940-100-0x000001FD44040000-0x000001FD44041000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4940-97-0x000001FD440C0000-0x000001FD44164000-memory.dmp
                Filesize

                656KB

                Download
              • memory/5112-0-0x00000000028C0000-0x00000000028CF000-memory.dmp
                Filesize

                60KB

                Download
              • memory/5112-11-0x00000000028F0000-0x00000000028FD000-memory.dmp
                Filesize

                52KB

                Download
              • memory/5112-5-0x0000000000400000-0x000000000040F000-memory.dmp
                Filesize

                60KB

                Download
              • memory/5112-1-0x00000000028B0000-0x00000000028BC000-memory.dmp
                Filesize

                48KB

                Download