gozi | 92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4

General

Target

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
Size

199KB
MD5

b6472d999d771b922bf1c1b9e5da1c07
SHA1

b346bea7343dc739dad96e78d0a6a9fbff64d3f9
SHA256

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4
SHA512

fd0c5a1ead59f238fa4288dcfb08570c366ff7a5cfc4e78eca05284b7f75cb9f2fb7825064d5e2d48a9340d6c092a4605e803cb87f6f4882a510fe43dccc0cfd
SSDEEP

6144:g1BpcJrVKdeOPLTlKYoT4byFgUcVydDeT:UBHMOPXljoTHPn6T

Score

10^/10

gozi banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

rsa_pubkey.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2848 cmd.exe

pid	process
2848	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\charocom = "C:\\Windows\\system32\\relotend.exe"	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

Drops file in System32 directory 2 IoCs

Processes:

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

description	ioc	process
File created	C:\Windows\SysWOW64\relotend.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
File opened for modification	C:\Windows\SysWOW64\relotend.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

description	pid	process	target process
PID 596 set thread context of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 2364 set thread context of 2420	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.execmd.exeattrib.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2420 explorer.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

pid process

2364 92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

pid	process
2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe
Token: SeShutdownPrivilege	2420	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

explorer.exe

pid	process
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe
2420	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

pid process

596 92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

pid	process
596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.execmd.exe

description	pid	process	target process
PID 596 wrote to memory of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 596 wrote to memory of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 596 wrote to memory of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 596 wrote to memory of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 596 wrote to memory of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 596 wrote to memory of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 596 wrote to memory of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 596 wrote to memory of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 596 wrote to memory of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 596 wrote to memory of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 596 wrote to memory of 2364	596	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
PID 2364 wrote to memory of 2420	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	explorer.exe
PID 2364 wrote to memory of 2420	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	explorer.exe
PID 2364 wrote to memory of 2420	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	explorer.exe
PID 2364 wrote to memory of 2420	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	explorer.exe
PID 2364 wrote to memory of 2420	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	explorer.exe
PID 2364 wrote to memory of 2420	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	explorer.exe
PID 2364 wrote to memory of 2420	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	explorer.exe
PID 2364 wrote to memory of 2848	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	cmd.exe
PID 2364 wrote to memory of 2848	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	cmd.exe
PID 2364 wrote to memory of 2848	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	cmd.exe
PID 2364 wrote to memory of 2848	2364	92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe	cmd.exe
PID 2848 wrote to memory of 2508	2848	cmd.exe	attrib.exe
PID 2848 wrote to memory of 2508	2848	cmd.exe	attrib.exe
PID 2848 wrote to memory of 2508	2848	cmd.exe	attrib.exe
PID 2848 wrote to memory of 2508	2848	cmd.exe	attrib.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2508 attrib.exe

pid	process
2508	attrib.exe

C:\Users\Admin\AppData\Local\Temp\92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
"C:\Users\Admin\AppData\Local\Temp\92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596
- C:\Users\Admin\AppData\Local\Temp\92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe
  "C:\Users\Admin\AppData\Local\Temp\92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\259449615.bat" "C:\Users\Admin\AppData\Local\Temp\92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe""
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\92d37f9699672b48a816d0da0db68167ea7f45dfd7137bb48cf6e9e36d7076b4.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259449615.bat

Filesize
76B

MD5
b18a6f3b7a532851e7894839c3334ccd

SHA1
775914e7ad88f458de20152afdab7feebe088c73

SHA256
a9eff32845eb65786ae475dd3d507d531307f03b36e4bf5ca23dd3d52df5e83b

SHA512
dc0df49e5040496bb38ee951f15b899f3bbf83bf6c193463da3eae63e7708aca4651ab2cb1d51178ab7302dab123b3bf2a80bd261d446eb087a6cfa3710bf9f9

Download Submit
memory/596-16-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/596-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/596-4-0x0000000001CE0000-0x0000000001CFC000-memory.dmp

Filesize
112KB

Download
memory/596-18-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/596-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2364-5-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2364-17-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2364-10-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2364-13-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2364-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2364-8-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2364-7-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2364-6-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2364-19-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2364-40-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2364-9-0x0000000001000000-0x000000000102D000-memory.dmp

Filesize
180KB

Download
memory/2420-27-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2420-52-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2420-23-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2420-29-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2420-30-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2420-21-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2420-22-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/2420-28-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2420-53-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2420-56-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2420-62-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2420-65-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download
memory/2420-68-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/2420-69-0x00000000002E0000-0x000000000034C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads