Overview

overview

10

Static

static

1

HPCommRecovery.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    47s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2024 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HPCommRecovery.zip

  • Size

    1.6MB

  • MD5

    e961abdcb3b325955eb3e285dbdb8912

  • SHA1

    467a1cff82a81cc918e13dd3a9c1c2254a8b63e8

  • SHA256

    90ca8803a7d5fc0616f08e9c64209148c6b8b23e39bfe5dd5e6254283d9708a6

  • SHA512

    8aab747740a6031f1d49e2b306d4fe7b6020388a6e28c7ee28f60c9dd11eea411674c681ceb699147d70b2b0f974f8099fbf402356fe5e160bdc0a59fda0ec85

  • SSDEEP

    24576:H48nWRqPLx7dUFgT7vcVx2VL+DIlqOj0SzsmrMwszB7TPWCBhmPZJAaczMSZNybO:LWQlWFgT72QVL+8XjhLsJOCuJ0nQ98

Score
10/10
gozibankerisfbtrojan

Malware Config

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\HPCommRecovery.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4876
  • C:\Users\Admin\Desktop\HPCommRecovery.exe
    "C:\Users\Admin\Desktop\HPCommRecovery.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Windows\System32\mobsync.exe
      C:\Windows\System32\mobsync.exe /Schedule='My Offline Files
      2⤵
        PID:2504
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\ClassLibrary.dll
      Filesize

      4KB

      MD5

      e3deb0d1cb86b3aa0cfc07e622855281

      SHA1

      97d5525b7cca4ee8709101c2c2e5527398f04844

      SHA256

      e8a96da2933829dd9bbc8858f34b1707aa2e5859c044158616096bdb464bafd5

      SHA512

      38e4909f2272e81685ec91d60772967cae3267cf40be663e855f1a25249a4b55bb324f834c42738202b0d228603b123335fb5809c76a8822957cfedf4a0304a2

      Download Submit

    • C:\Users\Admin\Desktop\HPCommDevControl.dll
      Filesize

      7.2MB

      MD5

      a74d6a6982a24421df848aeaf4ef3cc2

      SHA1

      949cd3569d763bfbb9506c7a6b8cdb1b8f796b31

      SHA256

      14a1c7ec4a57d6b5f3b856289df0ffd7e198b98942e23b2a2ea182c699649e48

      SHA512

      904c6430ef3c90e88c869da9146e8c974987653e585436b6542877c59861629c4c06d286d3fa43d8e9408a8974173383259c56d5d8695aba32a413cfa077e521

      Download Submit

    • C:\Users\Admin\Desktop\HPCommRecovery.exe
      Filesize

      870KB

      MD5

      cbf80c345c20bb9ec9d4537054937421

      SHA1

      64878f0df1163581f8ba59aa9e216e4415e1d8d2

      SHA256

      1a31745f6050970986a27576a013cfb299dc5f89bed80d2112f3c704ff4ddce4

      SHA512

      e0434a9a1885222daa57be9c1b8a345c868bea99d8555a72f83d591b6389298da761f712786ca1ed913b8a782d6d632074e8f29ed02c1ca35fb5bad9b1361015

      Download Submit

    • C:\Users\Admin\Desktop\HPCommRecovery.exe.config
      Filesize

      324B

      MD5

      30f77e69f6b9b4a278cd06365db8dc5b

      SHA1

      8b7acd9647d0b4d810a5d48b3111fd0a073e6840

      SHA256

      69f665f8f7631f40164626765530eefb86972d072e0d23321486d22df5b702c5

      SHA512

      4ff7a6f5a2b9dbb44be1b033eceb842d272dfebe49fd1fd8ed0b8ae16d949e0d2dc33d8c7f152a35ab952504362239ec65c461836a8cdda48c19852f3914072a

      Download Submit

    • memory/2504-24-0x00000267EF490000-0x00000267EF492000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-41-0x00000267EF430000-0x00000267EF488000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2504-27-0x00000267EF430000-0x00000267EF488000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2504-19-0x00000267EF260000-0x00000267EF2AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2504-26-0x00000267EF430000-0x00000267EF488000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2504-21-0x00000267EF430000-0x00000267EF488000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2828-38-0x000001A81D980000-0x000001A81D981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2828-39-0x000001A81D980000-0x000001A81D981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2828-34-0x000001A81D980000-0x000001A81D981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2828-28-0x000001A81D980000-0x000001A81D981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2828-29-0x000001A81D980000-0x000001A81D981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2828-30-0x000001A81D980000-0x000001A81D981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2828-40-0x000001A81D980000-0x000001A81D981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2828-35-0x000001A81D980000-0x000001A81D981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2828-36-0x000001A81D980000-0x000001A81D981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2828-37-0x000001A81D980000-0x000001A81D981000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4232-15-0x0000026F883C0000-0x0000026F883C6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4232-20-0x0000026F86690000-0x0000026F8676C000-memory.dmp

      Filesize

      880KB

      Download

    • memory/4232-18-0x00007FFB2F010000-0x00007FFB2F205000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/4232-11-0x00007FFB100E3000-0x00007FFB100E5000-memory.dmp

      Filesize

      8KB

      Download