Analysis
-
max time kernel
95s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
31-05-2024 02:36
General
-
Target
c2a40adec16657aa9663ab3fc3dc9f6e4862c17c9561e993da10646c996129f8.exe
-
Size
163KB
-
MD5
e04d8d4b317d6f979c60170854799d76
-
SHA1
fe0e3ecf0dbdca71ca45447d2236f95f8570fc1c
-
SHA256
c2a40adec16657aa9663ab3fc3dc9f6e4862c17c9561e993da10646c996129f8
-
SHA512
55872cbb74dd8206eb48722f5bb04ae02e4c3b6e1176477bbe251afd3a9816af7e67001d5769cff59a0612ee8325c5786cd38b4c0d9025516d34587e6fd108bf
-
SSDEEP
1536:PPB1OIJrr8Bmkq7wb/U6u5wmlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:B1OCrbyMKmltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Detects executables built or packed with MPress PE compressor 64 IoCs
-
UPX dump on OEP (original entry point) 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 1 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\572178285\zmstage.exeC:\Users\Admin\AppData\Local\Temp\572178285\zmstage.exe1⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\c2a40adec16657aa9663ab3fc3dc9f6e4862c17c9561e993da10646c996129f8.exe"C:\Users\Admin\AppData\Local\Temp\c2a40adec16657aa9663ab3fc3dc9f6e4862c17c9561e993da10646c996129f8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hfjmgdlf.exeC:\Windows\system32\Hfjmgdlf.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hmdedo32.exeC:\Windows\system32\Hmdedo32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hpbaqj32.exeC:\Windows\system32\Hpbaqj32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hbanme32.exeC:\Windows\system32\Hbanme32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hfljmdjc.exeC:\Windows\system32\Hfljmdjc.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hjhfnccl.exeC:\Windows\system32\Hjhfnccl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hmfbjnbp.exeC:\Windows\system32\Hmfbjnbp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Himcoo32.exeC:\Windows\system32\Himcoo32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hadkpm32.exeC:\Windows\system32\Hadkpm32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hjmoibog.exeC:\Windows\system32\Hjmoibog.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Haggelfd.exeC:\Windows\system32\Haggelfd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hcedaheh.exeC:\Windows\system32\Hcedaheh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hjolnb32.exeC:\Windows\system32\Hjolnb32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Haidklda.exeC:\Windows\system32\Haidklda.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ibjqcd32.exeC:\Windows\system32\Ibjqcd32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Iidipnal.exeC:\Windows\system32\Iidipnal.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ipnalhii.exeC:\Windows\system32\Ipnalhii.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ifhiib32.exeC:\Windows\system32\Ifhiib32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Imbaemhc.exeC:\Windows\system32\Imbaemhc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Icljbg32.exeC:\Windows\system32\Icljbg32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ifjfnb32.exeC:\Windows\system32\Ifjfnb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Iiibkn32.exeC:\Windows\system32\Iiibkn32.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ipckgh32.exeC:\Windows\system32\Ipckgh32.exe24⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Idofhfmm.exeC:\Windows\system32\Idofhfmm.exe25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ijhodq32.exeC:\Windows\system32\Ijhodq32.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iabgaklg.exeC:\Windows\system32\Iabgaklg.exe27⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ibccic32.exeC:\Windows\system32\Ibccic32.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Iinlemia.exeC:\Windows\system32\Iinlemia.exe29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jaedgjjd.exeC:\Windows\system32\Jaedgjjd.exe30⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jbfpobpb.exeC:\Windows\system32\Jbfpobpb.exe31⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jiphkm32.exeC:\Windows\system32\Jiphkm32.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jdemhe32.exeC:\Windows\system32\Jdemhe32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Jbhmdbnp.exeC:\Windows\system32\Jbhmdbnp.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jibeql32.exeC:\Windows\system32\Jibeql32.exe35⤵
-
C:\Windows\SysWOW64\Jmnaakne.exeC:\Windows\system32\Jmnaakne.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jplmmfmi.exeC:\Windows\system32\Jplmmfmi.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jfffjqdf.exeC:\Windows\system32\Jfffjqdf.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jidbflcj.exeC:\Windows\system32\Jidbflcj.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jmpngk32.exeC:\Windows\system32\Jmpngk32.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jdjfcecp.exeC:\Windows\system32\Jdjfcecp.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jbmfoa32.exeC:\Windows\system32\Jbmfoa32.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jkdnpo32.exeC:\Windows\system32\Jkdnpo32.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jmbklj32.exeC:\Windows\system32\Jmbklj32.exe44⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Jpaghf32.exeC:\Windows\system32\Jpaghf32.exe45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jbocea32.exeC:\Windows\system32\Jbocea32.exe46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Jiikak32.exeC:\Windows\system32\Jiikak32.exe47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kaqcbi32.exeC:\Windows\system32\Kaqcbi32.exe48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kdopod32.exeC:\Windows\system32\Kdopod32.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kbapjafe.exeC:\Windows\system32\Kbapjafe.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kgmlkp32.exeC:\Windows\system32\Kgmlkp32.exe51⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kilhgk32.exeC:\Windows\system32\Kilhgk32.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kacphh32.exeC:\Windows\system32\Kacphh32.exe53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kkkdan32.exeC:\Windows\system32\Kkkdan32.exe54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kmjqmi32.exeC:\Windows\system32\Kmjqmi32.exe55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kdcijcke.exeC:\Windows\system32\Kdcijcke.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kbfiep32.exeC:\Windows\system32\Kbfiep32.exe57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kknafn32.exeC:\Windows\system32\Kknafn32.exe58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kagichjo.exeC:\Windows\system32\Kagichjo.exe59⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kdffocib.exeC:\Windows\system32\Kdffocib.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kkpnlm32.exeC:\Windows\system32\Kkpnlm32.exe61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kmnjhioc.exeC:\Windows\system32\Kmnjhioc.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kajfig32.exeC:\Windows\system32\Kajfig32.exe63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lmqgnhmp.exeC:\Windows\system32\Lmqgnhmp.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lpocjdld.exeC:\Windows\system32\Lpocjdld.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lcmofolg.exeC:\Windows\system32\Lcmofolg.exe66⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Liggbi32.exeC:\Windows\system32\Liggbi32.exe67⤵
-
C:\Windows\SysWOW64\Laopdgcg.exeC:\Windows\system32\Laopdgcg.exe68⤵
-
C:\Windows\SysWOW64\Ldmlpbbj.exeC:\Windows\system32\Ldmlpbbj.exe69⤵
-
C:\Windows\SysWOW64\Lgkhlnbn.exeC:\Windows\system32\Lgkhlnbn.exe70⤵
-
C:\Windows\SysWOW64\Lijdhiaa.exeC:\Windows\system32\Lijdhiaa.exe71⤵
-
C:\Windows\SysWOW64\Laalifad.exeC:\Windows\system32\Laalifad.exe72⤵
-
C:\Windows\SysWOW64\Lpcmec32.exeC:\Windows\system32\Lpcmec32.exe73⤵
-
C:\Windows\SysWOW64\Ldohebqh.exeC:\Windows\system32\Ldohebqh.exe74⤵
-
C:\Windows\SysWOW64\Lgneampk.exeC:\Windows\system32\Lgneampk.exe75⤵
-
C:\Windows\SysWOW64\Lilanioo.exeC:\Windows\system32\Lilanioo.exe76⤵
-
C:\Windows\SysWOW64\Lpfijcfl.exeC:\Windows\system32\Lpfijcfl.exe77⤵
-
C:\Windows\SysWOW64\Lcdegnep.exeC:\Windows\system32\Lcdegnep.exe78⤵
-
C:\Windows\SysWOW64\Lklnhlfb.exeC:\Windows\system32\Lklnhlfb.exe79⤵
-
C:\Windows\SysWOW64\Lnjjdgee.exeC:\Windows\system32\Lnjjdgee.exe80⤵
-
C:\Windows\SysWOW64\Laefdf32.exeC:\Windows\system32\Laefdf32.exe81⤵
-
C:\Windows\SysWOW64\Lddbqa32.exeC:\Windows\system32\Lddbqa32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Lknjmkdo.exeC:\Windows\system32\Lknjmkdo.exe83⤵
-
C:\Windows\SysWOW64\Mjqjih32.exeC:\Windows\system32\Mjqjih32.exe84⤵
-
C:\Windows\SysWOW64\Mahbje32.exeC:\Windows\system32\Mahbje32.exe85⤵
-
C:\Windows\SysWOW64\Mdfofakp.exeC:\Windows\system32\Mdfofakp.exe86⤵
-
C:\Windows\SysWOW64\Mkpgck32.exeC:\Windows\system32\Mkpgck32.exe87⤵
-
C:\Windows\SysWOW64\Mnocof32.exeC:\Windows\system32\Mnocof32.exe88⤵
-
C:\Windows\SysWOW64\Majopeii.exeC:\Windows\system32\Majopeii.exe89⤵
-
C:\Windows\SysWOW64\Mcklgm32.exeC:\Windows\system32\Mcklgm32.exe90⤵
-
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe91⤵
-
C:\Windows\SysWOW64\Mjeddggd.exeC:\Windows\system32\Mjeddggd.exe92⤵
-
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe93⤵
-
C:\Windows\SysWOW64\Mpolqa32.exeC:\Windows\system32\Mpolqa32.exe94⤵
-
C:\Windows\SysWOW64\Mkepnjng.exeC:\Windows\system32\Mkepnjng.exe95⤵
-
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe96⤵
-
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe97⤵
-
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe98⤵
-
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe99⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe100⤵
-
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe101⤵
-
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe102⤵
-
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe103⤵
-
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe104⤵
-
C:\Windows\SysWOW64\Nkjjij32.exeC:\Windows\system32\Nkjjij32.exe105⤵
-
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe106⤵
-
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe107⤵
-
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe108⤵
-
C:\Windows\SysWOW64\Nafokcol.exeC:\Windows\system32\Nafokcol.exe109⤵
-
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe110⤵
-
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe111⤵
-
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe112⤵
-
C:\Windows\SysWOW64\Nnmopdep.exeC:\Windows\system32\Nnmopdep.exe113⤵
-
C:\Windows\SysWOW64\Nqklmpdd.exeC:\Windows\system32\Nqklmpdd.exe114⤵
-
C:\Windows\SysWOW64\Ncihikcg.exeC:\Windows\system32\Ncihikcg.exe115⤵
-
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe117⤵
-
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe118⤵
-
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe119⤵
-
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe120⤵
-
C:\Windows\SysWOW64\Ncldnkae.exeC:\Windows\system32\Ncldnkae.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-