gozi | 336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798

General

Target

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
Size

526KB
MD5

7afb45ac5810698b4f3d8bc49e5d02c9
SHA1

82ac0b36bc447b697a907067a4163f4904d8ab25
SHA256

336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798
SHA512

d867f302850a493d0424ad18b2adb110704c7eafde5a1fbb0eef9f109d366d0758bddbece0b8a0a0d5482b5ccf39e0dadff9dc143162eb5710c8639acc88db21
SSDEEP

12288:Y3oGlmVDxLpA4pxc7wak9J5Q4xyhdG0++sVMJG2T7D/mxeT6xY:bVDZi4QEakn5PS+yFTXmAOxY

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Attributes

build
215798

rsa_pubkey.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Executes dropped EXE 2 IoCs

Processes:

cmpblayx.execmpblayx.exe

pid process

2564 cmpblayx.exe
2596 cmpblayx.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2512 cmd.exe
2512 cmd.exe

pid	process
2564	cmpblayx.exe
2596	cmpblayx.exe

pid	process
2512	cmd.exe
2512	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmlubact = "C:\\Users\\Admin\\AppData\\Roaming\\comptdll\\cmpblayx.exe"	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.execmpblayx.execmpblayx.exesvchost.exe

description	pid	process	target process
PID 1936 set thread context of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2564 set thread context of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2596 set thread context of 2576	2596	cmpblayx.exe	svchost.exe
PID 2576 set thread context of 1064	2576	svchost.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cmpblayx.exeExplorer.EXE

pid process

2596 cmpblayx.exe
1064 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

cmpblayx.exesvchost.exe

pid process

2596 cmpblayx.exe
2576 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

1064 Explorer.EXE

pid	process
2596	cmpblayx.exe
1064	Explorer.EXE

pid	process
2596	cmpblayx.exe
2576	svchost.exe

pid	process
1064	Explorer.EXE

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exeVirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.execmd.execmd.execmpblayx.execmpblayx.exesvchost.exe

description	pid	process	target process
PID 1936 wrote to memory of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1936 wrote to memory of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1936 wrote to memory of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1936 wrote to memory of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1936 wrote to memory of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1936 wrote to memory of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1936 wrote to memory of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1936 wrote to memory of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1936 wrote to memory of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1936 wrote to memory of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1936 wrote to memory of 2172	1936	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2172 wrote to memory of 2608	2172	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	cmd.exe
PID 2172 wrote to memory of 2608	2172	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	cmd.exe
PID 2172 wrote to memory of 2608	2172	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	cmd.exe
PID 2172 wrote to memory of 2608	2172	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	cmd.exe
PID 2608 wrote to memory of 2512	2608	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2512	2608	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2512	2608	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2512	2608	cmd.exe	cmd.exe
PID 2512 wrote to memory of 2564	2512	cmd.exe	cmpblayx.exe
PID 2512 wrote to memory of 2564	2512	cmd.exe	cmpblayx.exe
PID 2512 wrote to memory of 2564	2512	cmd.exe	cmpblayx.exe
PID 2512 wrote to memory of 2564	2512	cmd.exe	cmpblayx.exe
PID 2564 wrote to memory of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2564 wrote to memory of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2564 wrote to memory of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2564 wrote to memory of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2564 wrote to memory of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2564 wrote to memory of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2564 wrote to memory of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2564 wrote to memory of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2564 wrote to memory of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2564 wrote to memory of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2564 wrote to memory of 2596	2564	cmpblayx.exe	cmpblayx.exe
PID 2596 wrote to memory of 2576	2596	cmpblayx.exe	svchost.exe
PID 2596 wrote to memory of 2576	2596	cmpblayx.exe	svchost.exe
PID 2596 wrote to memory of 2576	2596	cmpblayx.exe	svchost.exe
PID 2596 wrote to memory of 2576	2596	cmpblayx.exe	svchost.exe
PID 2596 wrote to memory of 2576	2596	cmpblayx.exe	svchost.exe
PID 2596 wrote to memory of 2576	2596	cmpblayx.exe	svchost.exe
PID 2596 wrote to memory of 2576	2596	cmpblayx.exe	svchost.exe
PID 2576 wrote to memory of 1064	2576	svchost.exe	Explorer.EXE
PID 2576 wrote to memory of 1064	2576	svchost.exe	Explorer.EXE
PID 2576 wrote to memory of 1064	2576	svchost.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe"
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9398\49CC.bat" "C:\Users\Admin\AppData\Roaming\comptdll\cmpblayx.exe" "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\comptdll\cmpblayx.exe" "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE""
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Roaming\comptdll\cmpblayx.exe
"C:\Users\Admin\AppData\Roaming\comptdll\cmpblayx.exe" "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Roaming\comptdll\cmpblayx.exe
"C:\Users\Admin\AppData\Roaming\comptdll\cmpblayx.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2576

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9398\49CC.bat
Filesize
112B

MD5
bc4c3727921caebc91486873210adb33

SHA1
77757c393a18c9ca1f8bde552b7d8c9d4e1298db

SHA256
1fc9a358244176146017e89b5cca4600de01d686e98db7fa29b6f5cd13acc7c0

SHA512
ba60cc50d0fa533631c45a1c408b9562a744683ef844f408f29331b4ec7cd227fbb681e2215b56b403041a489273da93f17907c7a0df743d1225f973d260943e

Download Submit
\Users\Admin\AppData\Roaming\comptdll\cmpblayx.exe
Filesize
526KB

MD5
7afb45ac5810698b4f3d8bc49e5d02c9

SHA1
82ac0b36bc447b697a907067a4163f4904d8ab25

SHA256
336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798

SHA512
d867f302850a493d0424ad18b2adb110704c7eafde5a1fbb0eef9f109d366d0758bddbece0b8a0a0d5482b5ccf39e0dadff9dc143162eb5710c8639acc88db21

Download Submit
memory/1064-71-0x00000000051B0000-0x00000000052B4000-memory.dmp

Filesize
1.0MB

Download
memory/1064-73-0x00000000051B0000-0x00000000052B4000-memory.dmp

Filesize
1.0MB

Download
memory/1064-72-0x00000000051B0000-0x00000000052B4000-memory.dmp

Filesize
1.0MB

Download
memory/1064-74-0x00000000051B0000-0x00000000052B4000-memory.dmp

Filesize
1.0MB

Download
memory/1064-62-0x00000000051B0000-0x00000000052B4000-memory.dmp

Filesize
1.0MB

Download
memory/2172-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2172-10-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2172-17-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2172-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2172-29-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2172-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2172-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2172-16-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2172-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-8-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2172-6-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2576-54-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-63-0x00000000003B0000-0x00000000004B4000-memory.dmp

Filesize
1.0MB

Download
memory/2576-57-0x00000000003B0000-0x00000000004B4000-memory.dmp

Filesize
1.0MB

Download
memory/2596-61-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2596-53-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads