Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

2edb9333b7...0N.exe

windows7-x64

10

2edb9333b7...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 23:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2edb9333b749e26d78cf8e0d01875540N.exe

  • Size

    7.6MB

  • MD5

    2edb9333b749e26d78cf8e0d01875540

  • SHA1

    c735a73c8185466e184c0a05470f46fe7c4c198f

  • SHA256

    25c910b9ddf17baf841ed4f7baa4d7296d3a6411e901e567b0bd7f6454ac2440

  • SHA512

    5dbfc9bc1080c497816280ed45b618f819f7abddd03656b8dcc4a1833b4f01414c3ab734679a89501d4614d546e771a948c935b59c538eb403a22eeb717a280b

  • SSDEEP

    196608:fDXNRtASz9zqwWfKEvxvbbVCKlfMFELMc1GpC5o:fDXlASz9zqntZv3PMCLMc1Gs5

Score
10/10
gozibankerdiscoveryisfbtrojanupx

Malware Config

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2edb9333b749e26d78cf8e0d01875540N.exe
    "C:\Users\Admin\AppData\Local\Temp\2edb9333b749e26d78cf8e0d01875540N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /flushdns
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:1828
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 240
      2⤵
      • Program crash
      PID:1908
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4724 -ip 4724
    1⤵
      PID:1392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2edb9333b749e26d78cf8e0d01875540N.cfg
      Filesize

      72B

      MD5

      1038dd78d4f479179016ff4e34b97f0f

      SHA1

      5a32bc875e8d7795de1e784194515365552f2d2d

      SHA256

      8536bb844501b787ac87fc9fa7a44e97f0c5754f538ec2ed8b2ba774ef948264

      SHA512

      bbb97c024d25bcef17c5430502959f25a54dcac3a0f8033cfd2a19b62a496a175ff4a001ea9ce9b8b32fc4a80fd4e18d4033a715460c01b504a23eef34458963

      Download Submit

    • memory/2052-2-0x0000000000700000-0x0000000001672000-memory.dmp

      Filesize

      15.4MB

      Download

    • memory/4724-1-0x0000000000CF0000-0x00000000014AB000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4724-4-0x0000000000CF0000-0x00000000014AB000-memory.dmp

      Filesize

      7.7MB

      Download