Malware Analysis Report

2025-01-22 18:58

Sample ID 240316-h9wxbsee5y
Target cd7789c26335971a36bbed7579428a03
SHA256 f0981951e7fa784ed2f98e37814875f159531e50e96edbd7efd75b2355829097
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0981951e7fa784ed2f98e37814875f159531e50e96edbd7efd75b2355829097

Threat Level: Known bad

The file cd7789c26335971a36bbed7579428a03 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Executes dropped EXE

Deletes itself

UPX packed file

Loads dropped DLL

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-16 07:26

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 07:26

Reported

2024-03-16 07:29

Platform

win7-20240215-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gth88338.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\gth88338.exe C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A
File created C:\Windows\SysWOW64\mmsfc1.dll C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A
File opened for modification C:\Windows\SysWOW64\mmsfc1.dll C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A
File created C:\Windows\SysWOW64\ComRes.dll C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fOntS\ComRes.dll C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A
File created C:\Windows\fOntS\gth88338.ttf C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A
File created C:\Windows\fOntS\gth88338.fon C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A
N/A N/A C:\Windows\SysWOW64\gth88338.exe N/A
N/A N/A C:\Windows\SysWOW64\gth88338.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gth88338.exe N/A
N/A N/A C:\Windows\SysWOW64\gth88338.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe

"C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe"

C:\Windows\SysWOW64\gth88338.exe

C:\Windows\system32\gth88338.exe C:\Windows\fOntS\ComRes.dll ins C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe

Network

N/A

Files

memory/2404-0-0x0000000000400000-0x0000000000437000-memory.dmp

\Windows\SysWOW64\mmsfc1.dll

MD5 84799328d87b3091a3bdd251e1ad31f9
SHA1 64dbbe8210049f4d762de22525a7fe4313bf99d0
SHA256 f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b
SHA512 0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

\Windows\SysWOW64\gth88338.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/2404-12-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\fOntS\ComRes.dll

MD5 615d4a31846add4208fc9e861e615954
SHA1 80d5324d7d1aacf800efd008b2f23d59531ff5e3
SHA256 097747eb5f1ccd26f2702c00f203e8c34bd9f7b914edcc02ccabf4538e8aaf07
SHA512 9648c3b0c82295ed2a6db8c2562e24b9f52c4861e0df76273b8fa93581d9d5c2a189a0a73ab7209bb039c489ec0b9274b0833b7f5d57a859bc69656c0a4966c4

memory/1712-18-0x0000000010000000-0x0000000010016000-memory.dmp

memory/1712-20-0x0000000010000000-0x0000000010016000-memory.dmp

memory/1712-21-0x0000000010000000-0x0000000010016000-memory.dmp

C:\Windows\fOntS\gth88338.ttf

MD5 5dd5ed0c6724f9a0dd1bfe5675d914b5
SHA1 fcb7eecc7e45195c8beacb59c9c2f77b79b6b861
SHA256 724c93f1f6844beb70c6317f83eb0b06c0fae92b85b6ed00ef41861703a54859
SHA512 6356d8435dfc96bf1fafe7f3d7582bd4ac24c174ffe8e5cd55d45ff8e37bd610c115e63d906e484465604a719f04ebf7139255bf621bf0f5723a4ebeb3c7998e

C:\Windows\fOntS\gth88338.fon

MD5 ba093df63bbef63a4d0df6091d5bd331
SHA1 6220f24d319439ed285b0b607759c240768c95de
SHA256 224cab812fefcb019c3034f89f8b44f47d4a1166633e927027d8092f8b926605
SHA512 73b65e8a6681a6cf6130e4a72214c00a5c6a71d9ff1fb405e848beedd78b0b3e4735f3d94756c409750bc526bafbc6322ad01ec29079740083fd5741e386a3e8

memory/1712-25-0x00000000001E0000-0x00000000001EE000-memory.dmp

memory/1712-26-0x0000000010000000-0x0000000010016000-memory.dmp

memory/1712-27-0x00000000001E0000-0x00000000001EE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 07:26

Reported

2024-03-16 07:29

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gth88338.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gth88338.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\gth88338.exe C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A
File created C:\Windows\SysWOW64\mmsfc1.dll C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A
File opened for modification C:\Windows\SysWOW64\mmsfc1.dll C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A
File created C:\Windows\SysWOW64\ComRes.dll C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fOntS\gth88338.fon C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A
File created C:\Windows\fOntS\ComRes.dll C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A
File created C:\Windows\fOntS\gth88338.ttf C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\gth88338.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\gth88338.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe

"C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe"

C:\Windows\SysWOW64\gth88338.exe

C:\Windows\system32\gth88338.exe C:\Windows\fOntS\ComRes.dll ins C:\Users\Admin\AppData\Local\Temp\cd7789c26335971a36bbed7579428a03.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3988 -ip 3988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 404

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/3584-0-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\mmsfc1.dll

MD5 98c499fccb739ab23b75c0d8b98e0481
SHA1 0ef5c464823550d5f53dd485e91dabc5d5a1ba0a
SHA256 d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087
SHA512 9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

C:\Windows\SysWOW64\gth88338.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/3584-11-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\fOntS\ComRes.dll

MD5 615d4a31846add4208fc9e861e615954
SHA1 80d5324d7d1aacf800efd008b2f23d59531ff5e3
SHA256 097747eb5f1ccd26f2702c00f203e8c34bd9f7b914edcc02ccabf4538e8aaf07
SHA512 9648c3b0c82295ed2a6db8c2562e24b9f52c4861e0df76273b8fa93581d9d5c2a189a0a73ab7209bb039c489ec0b9274b0833b7f5d57a859bc69656c0a4966c4

memory/3988-15-0x0000000010000000-0x0000000010016000-memory.dmp

C:\Windows\fOntS\gth88338.ttf

MD5 5dd5ed0c6724f9a0dd1bfe5675d914b5
SHA1 fcb7eecc7e45195c8beacb59c9c2f77b79b6b861
SHA256 724c93f1f6844beb70c6317f83eb0b06c0fae92b85b6ed00ef41861703a54859
SHA512 6356d8435dfc96bf1fafe7f3d7582bd4ac24c174ffe8e5cd55d45ff8e37bd610c115e63d906e484465604a719f04ebf7139255bf621bf0f5723a4ebeb3c7998e

memory/3988-19-0x0000000001600000-0x000000000160E000-memory.dmp

C:\Windows\fOntS\gth88338.fon

MD5 ba093df63bbef63a4d0df6091d5bd331
SHA1 6220f24d319439ed285b0b607759c240768c95de
SHA256 224cab812fefcb019c3034f89f8b44f47d4a1166633e927027d8092f8b926605
SHA512 73b65e8a6681a6cf6130e4a72214c00a5c6a71d9ff1fb405e848beedd78b0b3e4735f3d94756c409750bc526bafbc6322ad01ec29079740083fd5741e386a3e8

memory/3988-20-0x0000000001600000-0x000000000160E000-memory.dmp