Overview

overview

10

Static

static

5

0442cfabb3...ab.exe

windows7-x64

8

c0cf40b883...3a.exe

windows7-x64

8

cry1.exe

windows7-x64

8

cry2.exe

windows7-x64

8

cry3.exe

windows7-x64

10

cry4.exe

windows7-x64

10

cry5.exe

windows7-x64

8

cry6.exe

windows7-x64

10

e49778d20a...73.exe

windows7-x64

8

inquiry.scr

windows7-x64

9

Накла...15.scr

windows7-x64

3

ПРЕТЕ...Я.scr

windows7-x64

5

Счет �...08.scr

windows7-x64

3

карто...я.scr

windows7-x64

5

Analysis

  • max time kernel
    600s
  • max time network
    597s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-11-2024 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cry4.exe

  • Size

    507KB

  • MD5

    6e352a6e96db293f487d1c1996f7ca60

  • SHA1

    887a357a96b9dbb428b6b776a3ec8ca8de746f18

  • SHA256

    49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6

  • SHA512

    bad3b109707b7ba714ccfd41109d6defe9aa2c651cd7dd8c91f536622fa52394071e858a81a2844421a56219527737d395580ea73e250f6cb44c4c1c4959351d

  • SSDEEP

    12288:IEi3NId2zO8PW418jZZUozZuzYgwz3r14Y07KCJ:GrdZ+tZlVUYBzB0KC

Score
10/10
gozibankerdiscoveryisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215798

rsa_pubkey.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1132
    • C:\Users\Admin\AppData\Local\Temp\cry4.exe
      "C:\Users\Admin\AppData\Local\Temp\cry4.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Users\Admin\AppData\Local\Temp\cry4.exe
        "C:\Users\Admin\AppData\Local\Temp\cry4.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\6336\319B.bat" "C:\Users\Admin\AppData\Roaming\difxuser\cewmnect.exe" "C:\Users\Admin\AppData\Local\Temp\cry4.exe""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2744
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C ""C:\Users\Admin\AppData\Roaming\difxuser\cewmnect.exe" "C:\Users\Admin\AppData\Local\Temp\cry4.exe""
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Users\Admin\AppData\Roaming\difxuser\cewmnect.exe
              "C:\Users\Admin\AppData\Roaming\difxuser\cewmnect.exe" "C:\Users\Admin\AppData\Local\Temp\cry4.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2704
              • C:\Users\Admin\AppData\Roaming\difxuser\cewmnect.exe
                "C:\Users\Admin\AppData\Roaming\difxuser\cewmnect.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:2712
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe
                  8⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:2016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\6336\319B.bat
    Filesize

    112B

    MD5

    bc01f616c09d69a6dd36f7bc58286817

    SHA1

    b83283444714ab1e312a7b221dc709f8806c5ff4

    SHA256

    d19793bcf4f5441e08c64d40b4d4d31164efc59944f2d3ecc0a963ba55565e85

    SHA512

    f6764745c4c5ea014a349156299c2a0aab725fc0edbce095cff28cb1a37d4612db6c2d64bce0339bcb12c074d7aa9b7c226cd7f873c0c9e564de44c328e12b13

    Download Submit

  • \Users\Admin\AppData\Roaming\difxuser\cewmnect.exe
    Filesize

    507KB

    MD5

    6e352a6e96db293f487d1c1996f7ca60

    SHA1

    887a357a96b9dbb428b6b776a3ec8ca8de746f18

    SHA256

    49b84085b7cc731d39fda5a6c15d8bedf3051f3e3f8792f4a50220ebdbf1a4c6

    SHA512

    bad3b109707b7ba714ccfd41109d6defe9aa2c651cd7dd8c91f536622fa52394071e858a81a2844421a56219527737d395580ea73e250f6cb44c4c1c4959351d

    Download Submit

  • memory/1132-63-0x0000000006480000-0x0000000006584000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1132-75-0x0000000006480000-0x0000000006584000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1132-73-0x0000000006480000-0x0000000006584000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1132-72-0x0000000006480000-0x0000000006584000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1132-74-0x0000000006480000-0x0000000006584000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1132-71-0x0000000006480000-0x0000000006584000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2016-62-0x0000000000450000-0x0000000000554000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2016-57-0x0000000000450000-0x0000000000554000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2016-54-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2176-6-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2176-4-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2176-2-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2176-29-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2176-10-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2176-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2176-8-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2176-14-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2176-17-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2176-16-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2176-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2712-61-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2712-53-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download