gozi | 336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798

General

Target

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
Size

526KB
MD5

7afb45ac5810698b4f3d8bc49e5d02c9
SHA1

82ac0b36bc447b697a907067a4163f4904d8ab25
SHA256

336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798
SHA512

d867f302850a493d0424ad18b2adb110704c7eafde5a1fbb0eef9f109d366d0758bddbece0b8a0a0d5482b5ccf39e0dadff9dc143162eb5710c8639acc88db21
SSDEEP

12288:Y3oGlmVDxLpA4pxc7wak9J5Q4xyhdG0++sVMJG2T7D/mxeT6xY:bVDZi4QEakn5PS+yFTXmAOxY

Score

10^/10

gozi banker isfb persistence trojan

Malware Config

Extracted

Family

gozi

Attributes

build
215798

rsa_pubkey.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe

Executes dropped EXE 2 IoCs

Processes:

CIWmnect.exeCIWmnect.exe

pid process

1460 CIWmnect.exe
4680 CIWmnect.exe

pid	process
1460	CIWmnect.exe
4680	CIWmnect.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avifApis = "C:\\Users\\Admin\\AppData\\Roaming\\AzSqcatq\\CIWmnect.exe"	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exeCIWmnect.exeCIWmnect.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 2208 set thread context of 4652	2208	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 1460 set thread context of 4680	1460	CIWmnect.exe	CIWmnect.exe
PID 4680 set thread context of 4440	4680	CIWmnect.exe	svchost.exe
PID 4440 set thread context of 3432	4440	svchost.exe	Explorer.EXE
PID 3432 set thread context of 3892	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 set thread context of 3672	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 set thread context of 4844	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 set thread context of 1812	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 set thread context of 3196	3432	Explorer.EXE	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exeCIWmnect.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	CIWmnect.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	CIWmnect.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

CIWmnect.exeExplorer.EXE

pid process

4680 CIWmnect.exe
4680 CIWmnect.exe
3432 Explorer.EXE
3432 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

CIWmnect.exesvchost.exeExplorer.EXE

pid process

4680 CIWmnect.exe
4440 svchost.exe
3432 Explorer.EXE
3432 Explorer.EXE
3432 Explorer.EXE
3432 Explorer.EXE
3432 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3432 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3432 Explorer.EXE

pid	process
4680	CIWmnect.exe
4680	CIWmnect.exe
3432	Explorer.EXE
3432	Explorer.EXE

pid	process
4680	CIWmnect.exe
4440	svchost.exe
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE
3432	Explorer.EXE

pid	process
3432	Explorer.EXE

pid	process
3432	Explorer.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exeVirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.execmd.execmd.exeCIWmnect.exeCIWmnect.exesvchost.exeExplorer.EXE

description	pid	process	target process
PID 2208 wrote to memory of 4652	2208	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2208 wrote to memory of 4652	2208	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2208 wrote to memory of 4652	2208	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2208 wrote to memory of 4652	2208	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2208 wrote to memory of 4652	2208	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2208 wrote to memory of 4652	2208	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2208 wrote to memory of 4652	2208	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2208 wrote to memory of 4652	2208	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2208 wrote to memory of 4652	2208	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 2208 wrote to memory of 4652	2208	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
PID 4652 wrote to memory of 3248	4652	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	cmd.exe
PID 4652 wrote to memory of 3248	4652	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	cmd.exe
PID 4652 wrote to memory of 3248	4652	VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe	cmd.exe
PID 3248 wrote to memory of 4448	3248	cmd.exe	cmd.exe
PID 3248 wrote to memory of 4448	3248	cmd.exe	cmd.exe
PID 3248 wrote to memory of 4448	3248	cmd.exe	cmd.exe
PID 4448 wrote to memory of 1460	4448	cmd.exe	CIWmnect.exe
PID 4448 wrote to memory of 1460	4448	cmd.exe	CIWmnect.exe
PID 4448 wrote to memory of 1460	4448	cmd.exe	CIWmnect.exe
PID 1460 wrote to memory of 4680	1460	CIWmnect.exe	CIWmnect.exe
PID 1460 wrote to memory of 4680	1460	CIWmnect.exe	CIWmnect.exe
PID 1460 wrote to memory of 4680	1460	CIWmnect.exe	CIWmnect.exe
PID 1460 wrote to memory of 4680	1460	CIWmnect.exe	CIWmnect.exe
PID 1460 wrote to memory of 4680	1460	CIWmnect.exe	CIWmnect.exe
PID 1460 wrote to memory of 4680	1460	CIWmnect.exe	CIWmnect.exe
PID 1460 wrote to memory of 4680	1460	CIWmnect.exe	CIWmnect.exe
PID 1460 wrote to memory of 4680	1460	CIWmnect.exe	CIWmnect.exe
PID 1460 wrote to memory of 4680	1460	CIWmnect.exe	CIWmnect.exe
PID 1460 wrote to memory of 4680	1460	CIWmnect.exe	CIWmnect.exe
PID 4680 wrote to memory of 4440	4680	CIWmnect.exe	svchost.exe
PID 4680 wrote to memory of 4440	4680	CIWmnect.exe	svchost.exe
PID 4680 wrote to memory of 4440	4680	CIWmnect.exe	svchost.exe
PID 4680 wrote to memory of 4440	4680	CIWmnect.exe	svchost.exe
PID 4680 wrote to memory of 4440	4680	CIWmnect.exe	svchost.exe
PID 4440 wrote to memory of 3432	4440	svchost.exe	Explorer.EXE
PID 4440 wrote to memory of 3432	4440	svchost.exe	Explorer.EXE
PID 4440 wrote to memory of 3432	4440	svchost.exe	Explorer.EXE
PID 3432 wrote to memory of 3892	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 3892	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 3892	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 3672	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 3672	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 3672	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 4844	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 4844	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 4844	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 1812	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 1812	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 1812	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 3196	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 3196	3432	Explorer.EXE	RuntimeBroker.exe
PID 3432 wrote to memory of 3196	3432	Explorer.EXE	RuntimeBroker.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_7afb45ac5810698b4f3d8bc49e5d02c9.exe"
3⤵
- Checks computer location settings
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F0D8\786C.bat" "C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe" "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE""
4⤵
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\cmd.exe
cmd /C ""C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe" "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE""
5⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe
"C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe" "C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe
"C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F0D8\786C.bat
Filesize
112B

MD5
0619f293e5876b45272c446e1a038250

SHA1
c94896d2735f936c541368b9d7ca0d9b44f64a3f

SHA256
8e020197ebc9c7be9e6556fb29c2de9aeb0ec4fb85cfbbfe616478d8138aa4df

SHA512
cd57494ebfb668a2c1ec751bc9fb2ca4b7025b90166dd16551734db3b817c9d04810231e9c2988f5e78db138e36acc930c79236f423e7cb1d5926864b147cc08

Download Submit
C:\Users\Admin\AppData\Roaming\AzSqcatq\CIWmnect.exe
Filesize
526KB

MD5
7afb45ac5810698b4f3d8bc49e5d02c9

SHA1
82ac0b36bc447b697a907067a4163f4904d8ab25

SHA256
336e5e72892c6ac686f60e22a98848100e6af98f52490af608e0c930afef5798

SHA512
d867f302850a493d0424ad18b2adb110704c7eafde5a1fbb0eef9f109d366d0758bddbece0b8a0a0d5482b5ccf39e0dadff9dc143162eb5710c8639acc88db21

Download Submit
memory/1812-56-0x0000018A9BF30000-0x0000018A9C034000-memory.dmp

Filesize
1.0MB

Download
memory/1812-60-0x0000018A9BF30000-0x0000018A9C034000-memory.dmp

Filesize
1.0MB

Download
memory/1812-70-0x0000018A9BF30000-0x0000018A9C034000-memory.dmp

Filesize
1.0MB

Download
memory/3196-63-0x00000246A7340000-0x00000246A7444000-memory.dmp

Filesize
1.0MB

Download
memory/3196-69-0x00000246A7340000-0x00000246A7444000-memory.dmp

Filesize
1.0MB

Download
memory/3196-71-0x00000246A7340000-0x00000246A7444000-memory.dmp

Filesize
1.0MB

Download
memory/3432-61-0x0000000008CD0000-0x0000000008DD4000-memory.dmp

Filesize
1.0MB

Download
memory/3432-62-0x0000000008CD0000-0x0000000008DD4000-memory.dmp

Filesize
1.0MB

Download
memory/3432-68-0x0000000008CD0000-0x0000000008DD4000-memory.dmp

Filesize
1.0MB

Download
memory/3432-67-0x0000000008CD0000-0x0000000008DD4000-memory.dmp

Filesize
1.0MB

Download
memory/3432-29-0x0000000008CD0000-0x0000000008DD4000-memory.dmp

Filesize
1.0MB

Download
memory/3432-38-0x0000000008CD0000-0x0000000008DD4000-memory.dmp

Filesize
1.0MB

Download
memory/3432-37-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3432-72-0x0000000008CD0000-0x0000000008DD4000-memory.dmp

Filesize
1.0MB

Download
memory/3672-50-0x00000298E2620000-0x00000298E2724000-memory.dmp

Filesize
1.0MB

Download
memory/3672-46-0x00000298E2620000-0x00000298E2724000-memory.dmp

Filesize
1.0MB

Download
memory/3892-45-0x00000233838F0000-0x00000233839F4000-memory.dmp

Filesize
1.0MB

Download
memory/3892-40-0x00000233838F0000-0x00000233839F4000-memory.dmp

Filesize
1.0MB

Download
memory/3892-73-0x00000233838F0000-0x00000233839F4000-memory.dmp

Filesize
1.0MB

Download
memory/4440-27-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/4440-31-0x0000000000A40000-0x0000000000B44000-memory.dmp

Filesize
1.0MB

Download
memory/4440-22-0x0000000000A40000-0x0000000000B44000-memory.dmp

Filesize
1.0MB

Download
memory/4440-28-0x0000000000A40000-0x0000000000B44000-memory.dmp

Filesize
1.0MB

Download
memory/4652-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4652-8-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4652-3-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4652-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4680-26-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4680-18-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4844-51-0x0000014916390000-0x0000014916494000-memory.dmp

Filesize
1.0MB

Download
memory/4844-55-0x0000014916390000-0x0000014916494000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads