Analysis Overview
SHA256
f94342f97c194dc2d475c4bb5cf4626d6f935b2e0208a61e0f655a5ca0c88f4c
Threat Level: Known bad
The file updater.exe was found to be: Known bad.
Malicious Activity Summary
Gozi
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-10 18:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 18:33
Reported
2024-03-10 18:35
Platform
win11-20240221-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Gozi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\updater.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell\open | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\italypear9209580.vbs" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\updater.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\updater.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\updater.exe
"C:\Users\Admin\AppData\Local\Temp\updater.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\italypear9209580.vbs" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\italypear9209580.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN EpicGamesUpdater_IQMKOq8RoYR3WW1Ig050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\IQMKOq8RoYR3WW1Ig050MX.exe" /RL HIGHEST /IT
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN EpicGamesUpdater_IQMKOq8RoYR3WW1Ig050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\IQMKOq8RoYR3WW1Ig050MX.exe" /RL HIGHEST /IT
C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe
"C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe" explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 172.67.146.76:443 | textpubshiers.top | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| IE | 52.211.130.173:80 | checkip.amazonaws.com | tcp |
| US | 172.67.146.76:443 | textpubshiers.top | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
Files
memory/3968-0-0x0000000000EA0000-0x0000000000EAC000-memory.dmp
memory/3968-1-0x0000000002BD0000-0x0000000002BEA000-memory.dmp
memory/3968-2-0x0000000074FE0000-0x0000000075791000-memory.dmp
memory/3968-3-0x0000000005100000-0x0000000005110000-memory.dmp
memory/3968-4-0x0000000002A00000-0x0000000002A0A000-memory.dmp
memory/3968-5-0x0000000005110000-0x00000000051A2000-memory.dmp
memory/3968-6-0x0000000005760000-0x0000000005D06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\italypear9209580.vbs
| MD5 | a34267102c21aff46aecc85598924544 |
| SHA1 | 77268af47c6a4b9c6be7f7487b2c9b233d49d435 |
| SHA256 | eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44 |
| SHA512 | 5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3 |
memory/3968-9-0x000000000ADA0000-0x000000000B9A0000-memory.dmp
memory/3968-10-0x0000000011B20000-0x00000000127C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
| MD5 | 6f2fdecc48e7d72ca1eb7f17a97e59ad |
| SHA1 | fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056 |
| SHA256 | 70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809 |
| SHA512 | fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b |
C:\Users\Admin\AppData\Local\Temp\lshyp4e4.exe
| MD5 | e898826598a138f86f2aa80c0830707a |
| SHA1 | 1e912a5671f7786cc077f83146a0484e5a78729c |
| SHA256 | df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a |
| SHA512 | 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb |
memory/3296-24-0x0000000000670000-0x0000000000678000-memory.dmp
memory/3296-25-0x0000000000690000-0x0000000000691000-memory.dmp
memory/3296-26-0x0000000000670000-0x0000000000678000-memory.dmp
memory/3296-28-0x0000000000670000-0x0000000000678000-memory.dmp
memory/3968-30-0x0000000074FE0000-0x0000000075791000-memory.dmp
memory/3296-29-0x0000000000670000-0x0000000000678000-memory.dmp
memory/3968-36-0x00000000091B0000-0x00000000091C2000-memory.dmp
memory/3968-37-0x0000000005100000-0x0000000005110000-memory.dmp
memory/3968-38-0x0000000007E80000-0x0000000007EE6000-memory.dmp
memory/3968-39-0x0000000008D80000-0x0000000008D8A000-memory.dmp
memory/3968-41-0x0000000009310000-0x000000000931A000-memory.dmp
memory/3968-40-0x0000000005100000-0x0000000005110000-memory.dmp
memory/3968-42-0x0000000009370000-0x000000000937C000-memory.dmp
memory/3968-43-0x0000000009600000-0x0000000009608000-memory.dmp
C:\Users\Admin\AppData\Roaming\Gongle\aH22Q4XCG7\d8xutbrp.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
| MD5 | d9e1e97ddb87b15911ec55814c490890 |
| SHA1 | b849942433f87a6584891bfaba400a563ecc9c39 |
| SHA256 | c3b6213b24c423b8e6d80e8a2356fcff80b3c89c47583c0f679ae8405c8cfe61 |
| SHA512 | 9ee646fbcd7010ea9c156d8b92f3de97505aa31eab96d2382be1c9223687d837e56274bf92414f73c1a07f84002f42fce89fe1d4627d5302ddd7ec347956a534 |
C:\Users\Admin\AppData\Roaming\Gongle\aILN8V5K3N\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\Gongle\aILN8V5K3N\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Roaming\Gongle\aILN8V5K3N\LOG
| MD5 | a0b9f93e1ef956197a5eaccf3b047f2b |
| SHA1 | 5a9d624d058cbff732f541ba0003705eae0ee4de |
| SHA256 | ff4e5f6192853b8791e22c6038c447bcfbc771a98175ffe1b7f111a08ee86b04 |
| SHA512 | 21d699ee8b5480b6680450b4bb959cac2dffe65022385beb12eae7eef216580c23d4bac2e9aafc9479ba1e64f6de48b2a48991734af140d7419771add4adb0f2 |
C:\Users\Admin\AppData\Roaming\Gongle\aILN8V5K3N\LOG.old
| MD5 | daa36c973d0b6c36325c85766b98222f |
| SHA1 | c608612a6f3ba26ea112139a08cceea21defc5b4 |
| SHA256 | 1c14985e225407d0f6a215330fa6fcbc8cf77359353323c21b2938353c24e5f9 |
| SHA512 | ecef9e833d32076f973ff6dde80ac3c17260fb11261745d22769b43e4fcc336d3bb73ff0019c29580b7eb68118b831063a59e135853784588f6bf4be18555d7b |
C:\Users\Admin\AppData\Roaming\Gongle\aTZ1Y40P98\LOG
| MD5 | 193946a7ac1cfeec1f3aca3c88a831ce |
| SHA1 | 3450b937af7b470ff49329e773dcbd17bb7a9fe8 |
| SHA256 | ebd84e2b558af50da68954c3f69c382b8f3bb367524360a38d2b8f133e390aaa |
| SHA512 | 541ba79ea39dff6c8d453ee3d46a34cf7712ed8e49c563e2dc0ab6281ac4a3bf5a948f6896846e1536e0a9f8b17feb31d7b2f43dc89450ae32b1a7eda4c033b9 |
C:\Users\Admin\AppData\Roaming\Gongle\aTZ1Y40P98\LOG.old
| MD5 | 7b29089738ed5dae5f166c2b68b37ffd |
| SHA1 | dda409e0d91b60a5df11ee39872091d0f0ed450c |
| SHA256 | 99428899961da93d601d5839c0bc03d952cc83298bac963fc4429cf1cee602d6 |
| SHA512 | e34225c462ff6c6bdfde200f4b071e3b4b400355b185deabb35bd32f5316eefad3ca53aeb696a82a93718fd8fc15fda0a54d99088cf2ac72502803ae42b5768b |
memory/3968-171-0x0000000006840000-0x00000000068F2000-memory.dmp
memory/3968-172-0x0000000006950000-0x0000000006972000-memory.dmp
memory/3968-173-0x000000000DDE0000-0x000000000DE56000-memory.dmp
memory/3968-174-0x0000000007F30000-0x0000000007F4E000-memory.dmp
memory/3968-175-0x000000000DEB0000-0x000000000DF00000-memory.dmp
memory/3968-176-0x000000000DF00000-0x000000000DF6A000-memory.dmp
memory/3968-177-0x000000000DF70000-0x000000000E2C7000-memory.dmp
memory/3968-178-0x000000000E2D0000-0x000000000E31C000-memory.dmp
memory/3968-182-0x000000000E390000-0x000000000E3CC000-memory.dmp
memory/3968-183-0x000000000E350000-0x000000000E371000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9d7cda0b92b54a30b905eade8a19c091
| MD5 | e5e8a9a76a935750894088ce3cd50b7f |
| SHA1 | 8b28c604d2dd440cf3cc1890d1b2fe7b69295a2a |
| SHA256 | 872b33fbe9772a1a2d8b2e116b2cfcbc0b1d3f54e71c85260944ae25b56d9de8 |
| SHA512 | bed5373de1f3a1f6fd2705fb548c1eacb773523d165efd15ce252ddbbb9fa05ab461504c65708bab9f3bcdcb418da5de84a59c3b2d16d6b1c3b934a477fc0925 |
C:\Users\Admin\AppData\Local\Temp\6883574786654106ad21173ff79309df
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
memory/3968-198-0x000000000E420000-0x000000000E42A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\61898dd936c6414c8d07f9d23e26cec4
| MD5 | 4e7d153e64569884f71e68f8864053b5 |
| SHA1 | 1a3111816c024e93dab39a8eaaf9aa1932f123e2 |
| SHA256 | 46fa5beb32190b0eb38af53b350c01a0892a802293c6a99d660fa33a7b47fdf0 |
| SHA512 | 9e5f16ad50ee0d3d4e11eda771e9ea8a8b2da28694a377d773e4e529f7a015f3141d0087a02c90f0c803c3c9b5aab8a80d1a70fca6e19f2e83481a96db3a112d |
memory/3968-202-0x0000000005100000-0x0000000005110000-memory.dmp