Overview

overview

10

Static

static

3

SecurityHe...ay.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/03/2024, 15:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SecurityHealthSystray.exe

  • Size

    12KB

  • MD5

    bcd5a9678f98f90f3353895a4652412d

  • SHA1

    c28dc10d7ee2772bf66022863351806c9c843b1a

  • SHA256

    1506bc26e98fc87034a0ef3a39a1192fbd8ef2336e375eca6c1ceeffe36a73a3

  • SHA512

    6be5212588dacd4f3f71260b1991ffa7f164745fd89ae3474b65120c52dc8dcb1ceaf79c54ecb5ae2bc50e5959d0fe318ea76860e8d6245c7f86d45dfbde367a

  • SSDEEP

    192:Ks+iDcpjWW+nmpfDAQ3dtTzeihOfm/k+sqnINNe4+OlI8JWsRI5:Ks+DpjWDmpkQNhNhfPnkw4+OSRN

Score
10/10
gozibankerisfbspywarestealertrojan

Malware Config

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    PID:3416
    • C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
      "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4584
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\jumpdamage900116.vbs" /f
        3⤵
        • Modifies registry class
        PID:1544
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
        3⤵
        • Modifies registry class
        PID:4744
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C computerdefaults.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\SysWOW64\ComputerDefaults.exe
          computerdefaults.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4168
          • C:\Windows\SysWOW64\wscript.exe
            "wscript.exe" C:\Users\Admin\AppData\Local\Temp\jumpdamage900116.vbs
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:3780
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
              6⤵
                PID:4240
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN DropboxPaperUpdater_2a2oZvQBjB4qFwCPj050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\2a2oZvQBjB4qFwCPj050MX.exe" /RL HIGHEST /IT
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4332
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /Create /SC ONLOGON /TN DropboxPaperUpdater_2a2oZvQBjB4qFwCPj050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\2a2oZvQBjB4qFwCPj050MX.exe" /RL HIGHEST /IT
            4⤵
            • Creates scheduled task(s)
            PID:5044
        • C:\Users\Admin\AppData\Local\Temp\ujewpte4.exe
          "C:\Users\Admin\AppData\Local\Temp\ujewpte4.exe" explorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4056

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\079095b1c1654f22bef47c721eafe048
            Filesize

            46KB

            MD5

            02d2c46697e3714e49f46b680b9a6b83

            SHA1

            84f98b56d49f01e9b6b76a4e21accf64fd319140

            SHA256

            522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

            SHA512

            60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\36f5b806c3a34c1e99762ee3132bef1e
            Filesize

            8KB

            MD5

            caa2f2d69814378b0b47997f81fb75a0

            SHA1

            1e92fa43b34e95056b255ea48af8a29fd82c1c87

            SHA256

            4488c5e96344c9603e040aa67bb521fcbfe38b28d3a1044d9274e33524653e21

            SHA512

            8effd7500fe27cf7aadf0c230f915e2b285162765daf0f49e680671e5b35e2151630cb84f5d295cea3dd8f4cb29f5b4808c0c5a0b20838db3d6aa570495b053e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
            Filesize

            1.4MB

            MD5

            6f2fdecc48e7d72ca1eb7f17a97e59ad

            SHA1

            fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056

            SHA256

            70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809

            SHA512

            fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\dce745fed7384dd08f57a5b85f862ae4
            Filesize

            128KB

            MD5

            043219d27a6b3e61e37f3255bc1f75ce

            SHA1

            9f9293c397d278a8fe21d63b69023dd2e7c653cd

            SHA256

            48614f2b94a5781a506ab0c50fe1ee6d9a0e479e86ea3f0b9eaa1e13b0dedd60

            SHA512

            6cb4fb34df481c5ecc2edceda23af00a02a70b4fd3c80d1a026dca0a21a1ea40fc032694f1fea3c2c40cb10f8d66ea2c6d511a4c5736566ea18c75e3d6ef3f5c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\jumpdamage900116.vbs
            Filesize

            171B

            MD5

            a34267102c21aff46aecc85598924544

            SHA1

            77268af47c6a4b9c6be7f7487b2c9b233d49d435

            SHA256

            eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44

            SHA512

            5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ujewpte4.exe
            Filesize

            124KB

            MD5

            e898826598a138f86f2aa80c0830707a

            SHA1

            1e912a5671f7786cc077f83146a0484e5a78729c

            SHA256

            df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a

            SHA512

            6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Gongle\a1P7Q5WMDK\CURRENT
            Filesize

            16B

            MD5

            46295cac801e5d4857d09837238a6394

            SHA1

            44e0fa1b517dbf802b18faf0785eeea6ac51594b

            SHA256

            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

            SHA512

            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Gongle\a1P7Q5WMDK\LOG
            Filesize

            332B

            MD5

            db816893453c4e04d237ec0af8d55857

            SHA1

            ac7d294ea025cf97c5360511f3c4e34da541687a

            SHA256

            2ef197947d44767d0aa93b4d5b358cb904723dd9158e9d86d17e1d216c5b8f9b

            SHA512

            82e285529675ad9dcc9094495ff9c6c2cab79b0203c439386511904ee38bc48fe3b905afb5cbd33999e8492e7ee82a18f2a23b571710e994c22009ca96670b30

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Gongle\a1P7Q5WMDK\LOG.old
            Filesize

            291B

            MD5

            4dcbe22619a5e5c1ae6cedb1456611ae

            SHA1

            7f811b137e46727d084d68ad70a31c851245e57d

            SHA256

            2278841eeeaf5b1d3775e42aae672f4782cce576eac6885a2ac40e1962c477d8

            SHA512

            b62d80b2390ed95792d3105b2bfbeef3fa12425f2801accd9163ab9721364c61578c60df622c0b5cdfd602f91b63f7f1aafef0dabb9906d4abc6038eb89e93a4

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Gongle\a1P7Q5WMDK\MANIFEST-000001
            Filesize

            41B

            MD5

            5af87dfd673ba2115e2fcf5cfdb727ab

            SHA1

            d5b5bbf396dc291274584ef71f444f420b6056f1

            SHA256

            f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

            SHA512

            de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Gongle\aFRKJDBELS\tooqwtv0.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
            Filesize

            48KB

            MD5

            ca38ef773cc720e885e46b59cfee0f3f

            SHA1

            f97eb5a51bd09e9a53d26d543d44b4e3b1127f8f

            SHA256

            39e0ef3060e892d6270951eaf4e6f1ad6b9413c8174d03541cab61599a35372e

            SHA512

            8c55c306544e971693216525d857284de7142204a53c6a5c83f4421d47ad357fc45cba90c448199d909796f50049db2d58254d1f222abec3a0420a21cd8dad8a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Gongle\aUVNLFGDWC\LOG
            Filesize

            334B

            MD5

            31fdcc4973bb450329763aba095ece9e

            SHA1

            2e27b9eb90f83f8d94c3e1d5974d086ad2bd9cf3

            SHA256

            a4d8e2447a566c20e3bd886fa83df2a148cf6a62cc87bebabe347f5e81e25986

            SHA512

            72a66aac33ae21f455437de44d3673f0f3f1b810e83f1a67fb1f1a95d6530d4252923c97bf13650d770b0f973dc1cd63aa9c5c8fb692898e283991e2b98c56fa

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Gongle\aUVNLFGDWC\LOG.old
            Filesize

            293B

            MD5

            e052d5a5ec65c16c047ea870deb7959f

            SHA1

            5398cf68be8e91ec519016a961705a642be48203

            SHA256

            4f34b875419b82b288fc6deeed6d826d3c2ddc53a5c86e214294edd4712ea23a

            SHA512

            36161da294d187abd882191b8677c26b7d9eb16ec972b2824969b1e32b22b8c368ccc1812169f67a9fe2e3e0eb7e7d20d5a5d41b234c15c245d7f00dff1a4073

            Download Submit

          • memory/3416-41-0x0000000003230000-0x0000000003231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3416-27-0x00000000012E0000-0x00000000012E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3416-28-0x0000000003230000-0x0000000003231000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3416-31-0x00000000012E0000-0x00000000012E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3416-29-0x00000000012E0000-0x00000000012E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3416-33-0x00000000012E0000-0x00000000012E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4584-44-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4584-174-0x0000000000950000-0x0000000000A02000-memory.dmp

            Filesize

            712KB

            Download

          • memory/4584-39-0x0000000007460000-0x0000000007472000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4584-42-0x000000000A7A0000-0x000000000A7AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4584-43-0x000000000A820000-0x000000000A82A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4584-0-0x0000000074F40000-0x00000000756F0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4584-32-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4584-84-0x0000000006690000-0x000000000669C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4584-85-0x00000000066B0000-0x00000000066B8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4584-17-0x0000000074F40000-0x00000000756F0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4584-11-0x0000000012D70000-0x0000000013A12000-memory.dmp

            Filesize

            12.6MB

            Download

          • memory/4584-10-0x000000000ABF0000-0x000000000B7F0000-memory.dmp

            Filesize

            12.0MB

            Download

          • memory/4584-6-0x00000000054C0000-0x0000000005A64000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4584-5-0x0000000004E70000-0x0000000004F02000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4584-3-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4584-40-0x0000000009930000-0x0000000009996000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4584-175-0x0000000000B50000-0x0000000000B72000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4584-176-0x0000000000CC0000-0x0000000000D36000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4584-177-0x0000000000C60000-0x0000000000C7E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4584-178-0x000000000A860000-0x000000000A8B0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4584-179-0x0000000006740000-0x00000000067AA000-memory.dmp

            Filesize

            424KB

            Download

          • memory/4584-180-0x000000000C7F0000-0x000000000CB44000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4584-181-0x000000000A8C0000-0x000000000A90C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4584-185-0x000000000D790000-0x000000000D7CC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4584-186-0x000000000D750000-0x000000000D771000-memory.dmp

            Filesize

            132KB

            Download

          • memory/4584-4-0x00000000029B0000-0x00000000029BA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4584-2-0x0000000004D30000-0x0000000004D4A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4584-201-0x000000000D7E0000-0x000000000D7EA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4584-1-0x0000000000C30000-0x0000000000C3C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4584-205-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

            Filesize

            64KB

            Download