Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    300s
  • max time network
    241s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2024, 20:50 UTC

General

  • Target

    639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d.exe

  • Size

    511KB

  • MD5

    afb4846bd287f31e6297cb4095aece65

  • SHA1

    b92d682a800d82ff6e980deae88f6cb7e048c11d

  • SHA256

    639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d

  • SHA512

    8f5b3062a7f4faada34001bbe8510235d20b3d507ee0858ef23db92853f31a3075c60e37738a93e1385995199c9d99dccb7e547247fc9af5b8a8f3557d03d070

  • SSDEEP

    12288:nTY7/WAuLAOOxsgfj40bDKg0m7t4is8jYar:kusO+RDKgJBnsgYa

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215798

rsa_pubkey.plain
1
-----BEGIN PUBLIC KEY-----
2
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0qwXQVpOzw0MCY/jV1al
3
RHCEvlQFPfa17K0aSlWFdPLWuHxS6YQDWlJATf5kGFMXhnaoE/tl+B5bTNOf0Tty
4
eLCnluqCNPWHYzMnbSQ25juzCYUgBkiYLDmXT5iRFIKf+v1ca2yazVdzlaKBVNb8
5
Jqc207yRtqQ/mZ52VN3ywDR7X7PCVUIsEewLSbwWL5kndWqaA7HvO9i1/BDW8X+m
6
xjHnvV54bslLiXJi1aDpfqpI/JGIy8m3++vZG7ty+DfZCJpdGRgKvo6J8noWE5P8
7
2HCM9J4MFu76TlTXsps2dNetCIN2qpzwBiNS0w9MkgzFgXM6Ti54e7PUyGRfJ4d8
8
fwIDAQAB
9
-----END PUBLIC KEY-----

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d.exe
      "C:\Users\Admin\AppData\Local\Temp\639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Users\Admin\AppData\Local\Temp\639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d.exe
        "C:\Users\Admin\AppData\Local\Temp\639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\E512\F289.bat" "C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe" "C:\Users\Admin\AppData\Local\Temp\639A86~1.EXE""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C ""C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe" "C:\Users\Admin\AppData\Local\Temp\639A86~1.EXE""
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2872
            • C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe
              "C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe" "C:\Users\Admin\AppData\Local\Temp\639A86~1.EXE"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2756
              • C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe
                "C:\Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:1700
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe
                  8⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:2288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\E512\F289.bat

    Filesize

    112B

    MD5

    6d035997ca4b74c989f0b490126162fd

    SHA1

    d78d98184092f78374cc9bf4af4d6d24c5f5612c

    SHA256

    1d0ff939dde4099c8e34ee1b4689cf8ff03eda2c2f6317f054422503f51472f2

    SHA512

    edd15e35928e02d7848878cce5638995bdb25ceaa43c237aabc5c0b315eafd5b5a05ee2f9f243345873ad7cdc81400c20e012d810d8433ae6eec4708b89f5568

  • \Users\Admin\AppData\Roaming\AltTeSvr\comrdemx.exe

    Filesize

    511KB

    MD5

    afb4846bd287f31e6297cb4095aece65

    SHA1

    b92d682a800d82ff6e980deae88f6cb7e048c11d

    SHA256

    639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d

    SHA512

    8f5b3062a7f4faada34001bbe8510235d20b3d507ee0858ef23db92853f31a3075c60e37738a93e1385995199c9d99dccb7e547247fc9af5b8a8f3557d03d070

  • memory/1248-72-0x0000000007B00000-0x0000000007C04000-memory.dmp

    Filesize

    1.0MB

  • memory/1248-74-0x0000000007B00000-0x0000000007C04000-memory.dmp

    Filesize

    1.0MB

  • memory/1248-73-0x0000000007B00000-0x0000000007C04000-memory.dmp

    Filesize

    1.0MB

  • memory/1248-71-0x0000000007B00000-0x0000000007C04000-memory.dmp

    Filesize

    1.0MB

  • memory/1248-64-0x0000000007B00000-0x0000000007C04000-memory.dmp

    Filesize

    1.0MB

  • memory/1700-59-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/1700-53-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2288-57-0x0000000000490000-0x0000000000594000-memory.dmp

    Filesize

    1.0MB

  • memory/2288-54-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

    Filesize

    4KB

  • memory/2288-62-0x0000000000490000-0x0000000000594000-memory.dmp

    Filesize

    1.0MB

  • memory/2964-8-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2964-4-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2964-2-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2964-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2964-6-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2964-29-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2964-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2964-14-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2964-17-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2964-16-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

  • memory/2964-10-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.