Overview

overview

10

Static

static

5

0442cfabb3...ab.exe

windows7-x64

8

c0cf40b883...3a.exe

windows7-x64

8

cry1.exe

windows7-x64

8

cry2.exe

windows7-x64

8

cry3.exe

windows7-x64

10

cry4.exe

windows7-x64

10

cry5.exe

windows7-x64

8

cry6.exe

windows7-x64

10

e49778d20a...73.exe

windows7-x64

8

inquiry.scr

windows7-x64

9

Накла...15.scr

windows7-x64

3

ПРЕТЕ...Я.scr

windows7-x64

5

Счет �...08.scr

windows7-x64

3

карто...я.scr

windows7-x64

5

Analysis

  • max time kernel
    600s
  • max time network
    597s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-11-2024 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cry6.exe

  • Size

    511KB

  • MD5

    afb4846bd287f31e6297cb4095aece65

  • SHA1

    b92d682a800d82ff6e980deae88f6cb7e048c11d

  • SHA256

    639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d

  • SHA512

    8f5b3062a7f4faada34001bbe8510235d20b3d507ee0858ef23db92853f31a3075c60e37738a93e1385995199c9d99dccb7e547247fc9af5b8a8f3557d03d070

  • SSDEEP

    12288:nTY7/WAuLAOOxsgfj40bDKg0m7t4is8jYar:kusO+RDKgJBnsgYa

Score
10/10
gozibankerdiscoveryisfbpersistencetrojan

Malware Config

Extracted

Family

gozi

Attributes
  • build

    215798

rsa_pubkey.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1180
    • C:\Users\Admin\AppData\Local\Temp\cry6.exe
      "C:\Users\Admin\AppData\Local\Temp\cry6.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Users\Admin\AppData\Local\Temp\cry6.exe
        "C:\Users\Admin\AppData\Local\Temp\cry6.exe"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\B194\58CA.bat" "C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\AppData\Local\Temp\cry6.exe""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2664
          • C:\Windows\SysWOW64\cmd.exe
            cmd /C ""C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\AppData\Local\Temp\cry6.exe""
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2592
            • C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe
              "C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\AppData\Local\Temp\cry6.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2624
              • C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe
                "C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:3016
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe
                  8⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:1196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\B194\58CA.bat
    Filesize

    112B

    MD5

    39292e8b5766d04006a7a5fe4fba559c

    SHA1

    83ebd8f4e97e8704a4bc496fcf32a399a78cd6b9

    SHA256

    202b2077426e8f0ee5b44da806b25ed4711161fe3de456222277d9ef31855ae1

    SHA512

    9905c8a6f661df65b90e56c43d4c03688768b942c2ee9d36f5055ca083bd6a2fe7a10375f82aba7682f26c7ccd29111b8dee659f3f36a17e69f70891b451c1b7

    Download Submit

  • \Users\Admin\AppData\Roaming\drprssec\chtbider.exe
    Filesize

    511KB

    MD5

    afb4846bd287f31e6297cb4095aece65

    SHA1

    b92d682a800d82ff6e980deae88f6cb7e048c11d

    SHA256

    639a86559b0a086fe388e4309ea22e49f79362c0983df1a5b09fa477db3c463d

    SHA512

    8f5b3062a7f4faada34001bbe8510235d20b3d507ee0858ef23db92853f31a3075c60e37738a93e1385995199c9d99dccb7e547247fc9af5b8a8f3557d03d070

    Download Submit

  • memory/1180-61-0x0000000004D10000-0x0000000004E14000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1180-74-0x0000000004D10000-0x0000000004E14000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1180-70-0x0000000004D10000-0x0000000004E14000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1180-71-0x0000000004D10000-0x0000000004E14000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1180-73-0x0000000004D10000-0x0000000004E14000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1180-72-0x0000000004D10000-0x0000000004E14000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1196-62-0x0000000000540000-0x0000000000644000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1196-56-0x0000000000540000-0x0000000000644000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1196-53-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2676-6-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-27-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-8-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-10-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-15-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-17-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-0-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-16-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-2-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-4-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2676-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3016-60-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3016-52-0x0000000000400000-0x0000000000466000-memory.dmp

    Filesize

    408KB

    Download