Malware Analysis Report

2025-03-15 07:46

Sample ID 240204-r617baedgp
Target VirusShare_8b6c087ce23acbe5540e2e799e215010
SHA256 26b61a616d9ff0fc7e76c5c5d5058b6a05eec82c16b8206b0a3f057e82e23e71
Tags
gozi 1002 banker isfb persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26b61a616d9ff0fc7e76c5c5d5058b6a05eec82c16b8206b0a3f057e82e23e71

Threat Level: Known bad

The file VirusShare_8b6c087ce23acbe5540e2e799e215010 was found to be: Known bad.

Malicious Activity Summary

gozi 1002 banker isfb persistence ransomware trojan

Gozi

Modifies Installed Components in the registry

Deletes itself

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 14:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 14:49

Reported

2024-02-04 14:51

Platform

win7-20231215-en

Max time kernel

129s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe"

Signatures

Gozi

banker trojan gozi

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\colodxof = "C:\\Windows\\system32\\apdsorui.exe" C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\apdsorui.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe N/A
File opened for modification C:\Windows\system32\apdsorui.exe C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64F0.tmp" C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2220 set thread context of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\explorer.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\explorer.exe
PID 2220 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\explorer.exe
PID 2220 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\explorer.exe
PID 2220 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\explorer.exe
PID 2220 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\explorer.exe
PID 2220 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\explorer.exe
PID 2220 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\explorer.exe
PID 2220 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2700 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2700 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2700 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8997.bat" "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE""

C:\Windows\SysWOW64\attrib.exe

attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE"

Network

N/A

Files

memory/2220-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2220-0-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2220-2-0x0000000000240000-0x000000000027A000-memory.dmp

memory/2636-7-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2636-9-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

memory/2636-10-0x0000000001BE0000-0x0000000001C48000-memory.dmp

memory/2636-12-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2636-18-0x0000000001BE0000-0x0000000001C48000-memory.dmp

memory/2636-17-0x0000000001BE0000-0x0000000001C48000-memory.dmp

memory/2636-19-0x0000000001BE0000-0x0000000001C48000-memory.dmp

memory/2636-20-0x0000000001BE0000-0x0000000001C48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8997.bat

MD5 6fbd6d86b3df3397503041edb0f46594
SHA1 81e61f06be95f813d806574eb563f4a71503b352
SHA256 494d6a3fda8a560321974a18fc07e1e35df7c3b7e2ec880ef016ebbbb5ad160b
SHA512 e3ec7013010d3ba871e63a9fa43196da9158c3de2844e11030645045a289d2f1a7e780be2929e182ff6e55412842111910ef41878ecf552a605d09367e54bf6d

memory/2220-28-0x0000000000400000-0x00000000050C2000-memory.dmp

memory/2636-30-0x0000000004680000-0x0000000004681000-memory.dmp

memory/2636-31-0x0000000001BE0000-0x0000000001C48000-memory.dmp

memory/2636-32-0x0000000004680000-0x0000000004681000-memory.dmp

memory/2636-36-0x0000000003550000-0x0000000003560000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 14:49

Reported

2024-02-04 14:52

Platform

win10v2004-20231215-en

Max time kernel

138s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe

"C:\Users\Admin\AppData\Local\Temp\VirusShare_8b6c087ce23acbe5540e2e799e215010.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4508 -ip 4508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 492

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4508-0-0x0000000005160000-0x0000000005161000-memory.dmp

memory/4508-1-0x0000000006E30000-0x0000000006E6A000-memory.dmp

memory/4508-2-0x0000000006EA0000-0x0000000006EA1000-memory.dmp