gozi | d73f1b079da78f771a522bb0dd2511e9c4fe1143c9fff04d530e4f90b3db7c10

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unbrandedbubble.exe
Size

6.6MB
MD5

f7c63d1407f5a0f9fd3616ce3439fc6c
SHA1

8718841c27d61068729f340dc9a3c5a8578ab860
SHA256

d73f1b079da78f771a522bb0dd2511e9c4fe1143c9fff04d530e4f90b3db7c10
SHA512

2d1f3086a3d6f1d4c55a57e50c2ded3d7d959794f72e49ff0dcc16bdcb71e2eb745aa58f8b10c973edd64ce218ff5be8dbcff9197ec5408cf5811b5ccb9bd31f
SSDEEP

196608:rP7TJGYJd/8Aob1Eu5W7TJGYJd/8Aob1Eu5:rPJvLsgJvLs

Score

10^/10

gozi purecrypter banker discovery downloader isfb loader trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

purecrypter

https://cdn.discordapp.com/attachments/1000747213397426258/1003112003574956072/upd_Awqcktbs.jpg

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 1 IoCs

pid	Process
1100	upd.exe

Loads dropped DLL 1 IoCs

pid	Process
2564	unbrandedbubble.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unbrandedbubble.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe
2564	unbrandedbubble.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	unbrandedbubble.exe
Token: SeDebugPrivilege	1100	upd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1100	2564	unbrandedbubble.exe	30
PID 2564 wrote to memory of 1100	2564	unbrandedbubble.exe	30
PID 2564 wrote to memory of 1100	2564	unbrandedbubble.exe	30
PID 2564 wrote to memory of 1100	2564	unbrandedbubble.exe	30

C:\Users\Admin\AppData\Local\Temp\unbrandedbubble.exe
"C:\Users\Admin\AppData\Local\Temp\unbrandedbubble.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\Nvidia_Cache_Container_LogInfo\upd.exe
  "C:\Users\Admin\AppData\Local\Temp\Nvidia_Cache_Container_LogInfo\upd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nvidia_Cache_Container_LogInfo\upd.exe

Filesize
141KB

MD5
f45d7b351cc6417da06c7cd9247df80d

SHA1
a3c07f5e38456ffb0545c0bd85444d89ce972e9f

SHA256
4dc32bf8f52a30c9c30e876afeeb1621f0028222e6f194c95a72926fd1b2c259

SHA512
5cb78c2b6d79b4873a63b213dfea8b660c541bce8310f3c8cc6fab1df1bbf9dc036c5fbff7d366e398c542d1c119236f9a3cfccd9ad36ff59bbf6ee1a04183da

Download Submit
memory/1100-13-0x000000013FCC0000-0x000000013FCE6000-memory.dmp

Filesize
152KB

Download
memory/1100-19-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1100-18-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

Filesize
4KB

Download
memory/1100-14-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/1100-11-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

Filesize
4KB

Download
memory/2564-12-0x0000000008F70000-0x0000000009588000-memory.dmp

Filesize
6.1MB

Download
memory/2564-0-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2564-3-0x0000000006780000-0x0000000006ED4000-memory.dmp

Filesize
7.3MB

Download
memory/2564-15-0x0000000005530000-0x0000000005570000-memory.dmp

Filesize
256KB

Download
memory/2564-16-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download
memory/2564-17-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2564-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

Filesize
6.9MB

Download
memory/2564-1-0x0000000001200000-0x0000000001898000-memory.dmp

Filesize
6.6MB

Download
memory/2564-20-0x0000000005530000-0x0000000005570000-memory.dmp

Filesize
256KB

Download