gozi | 8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll
Size

672KB
MD5

281ab1908c42955077a6ae9434c404a0
SHA1

d3dba9abdce5630188d8c51886e889305a698607
SHA256

8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7
SHA512

212d88553d5b92b278aa96f9cf7fd523ad1a95f7729bdf7e260ec321d8165bb0b110bd0ecb1af8ed896ee2f05b491077bdca8703c0c0524ff650914609852d99
SSDEEP

12288:97EFH9MS0eApw2fmB1zNDLRfm4yVjg6AI18R5kQSuOscoujeNA:97EIeewHNIAIiRmQ9ujeNA

Score

10^/10

gozi 1000 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

http://ey7kuuklgieop2pq.onion

http://shoshanna.at

http://maiamirainy.at

Attributes

dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crypthlp = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Adhaprop\\ddp_past.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 9 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

description	pid	Process	procid_target
PID 2848 set thread context of 2272	2848	rundll32.exe	99
PID 2272 set thread context of 3476	2272	control.exe	56
PID 3476 set thread context of 4004	3476	Explorer.EXE	60
PID 3476 set thread context of 4204	3476	Explorer.EXE	62
PID 3476 set thread context of 3872	3476	Explorer.EXE	76
PID 2272 set thread context of 2256	2272	control.exe	101
PID 3476 set thread context of 592	3476	Explorer.EXE	85
PID 3476 set thread context of 940	3476	Explorer.EXE	86
PID 3476 set thread context of 1072	3476	Explorer.EXE	108

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exeExplorer.EXE

pid	Process
2848	rundll32.exe
2848	rundll32.exe
3476	Explorer.EXE
3476	Explorer.EXE

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

rundll32.execontrol.exeExplorer.EXE

pid	Process
2848	rundll32.exe
2272	control.exe
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
2272	control.exe
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Explorer.EXE

description	pid	Process
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE
Token: SeShutdownPrivilege	3476	Explorer.EXE
Token: SeCreatePagefilePrivilege	3476	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid	Process
3476	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
3476	Explorer.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exe

description	pid	Process	procid_target
PID 736 wrote to memory of 2848	736	rundll32.exe	83
PID 736 wrote to memory of 2848	736	rundll32.exe	83
PID 736 wrote to memory of 2848	736	rundll32.exe	83
PID 2848 wrote to memory of 2272	2848	rundll32.exe	99
PID 2848 wrote to memory of 2272	2848	rundll32.exe	99
PID 2848 wrote to memory of 2272	2848	rundll32.exe	99
PID 2848 wrote to memory of 2272	2848	rundll32.exe	99
PID 2848 wrote to memory of 2272	2848	rundll32.exe	99
PID 2272 wrote to memory of 3476	2272	control.exe	56
PID 2272 wrote to memory of 3476	2272	control.exe	56
PID 2272 wrote to memory of 3476	2272	control.exe	56
PID 3476 wrote to memory of 4004	3476	Explorer.EXE	60
PID 3476 wrote to memory of 4004	3476	Explorer.EXE	60
PID 3476 wrote to memory of 4004	3476	Explorer.EXE	60
PID 3476 wrote to memory of 4204	3476	Explorer.EXE	62
PID 3476 wrote to memory of 4204	3476	Explorer.EXE	62
PID 3476 wrote to memory of 4204	3476	Explorer.EXE	62
PID 3476 wrote to memory of 3872	3476	Explorer.EXE	76
PID 2272 wrote to memory of 2256	2272	control.exe	101
PID 2272 wrote to memory of 2256	2272	control.exe	101
PID 2272 wrote to memory of 2256	2272	control.exe	101
PID 3476 wrote to memory of 3872	3476	Explorer.EXE	76
PID 3476 wrote to memory of 3872	3476	Explorer.EXE	76
PID 3476 wrote to memory of 592	3476	Explorer.EXE	85
PID 2272 wrote to memory of 2256	2272	control.exe	101
PID 2272 wrote to memory of 2256	2272	control.exe	101
PID 3476 wrote to memory of 592	3476	Explorer.EXE	85
PID 3476 wrote to memory of 592	3476	Explorer.EXE	85
PID 3476 wrote to memory of 940	3476	Explorer.EXE	86
PID 3476 wrote to memory of 940	3476	Explorer.EXE	86
PID 3476 wrote to memory of 940	3476	Explorer.EXE	86
PID 3476 wrote to memory of 4476	3476	Explorer.EXE	102
PID 3476 wrote to memory of 4476	3476	Explorer.EXE	102
PID 4476 wrote to memory of 1544	4476	cmd.exe	104
PID 4476 wrote to memory of 1544	4476	cmd.exe	104
PID 3476 wrote to memory of 1744	3476	Explorer.EXE	106
PID 3476 wrote to memory of 1744	3476	Explorer.EXE	106
PID 3476 wrote to memory of 1072	3476	Explorer.EXE	108
PID 3476 wrote to memory of 1072	3476	Explorer.EXE	108
PID 3476 wrote to memory of 1072	3476	Explorer.EXE	108
PID 3476 wrote to memory of 1072	3476	Explorer.EXE	108
PID 3476 wrote to memory of 1072	3476	Explorer.EXE	108
PID 3476 wrote to memory of 1072	3476	Explorer.EXE	108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#1
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\control.exe
      C:\Windows\system32\control.exe /?
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
        5⤵
        
        PID:2256
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\C225.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1544
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C225.bi1"
  2⤵
  PID:1744
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1072

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4204

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3872

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:592

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C225.bi1

Filesize
121B

MD5
58910db4e6beb9df6a7facc8ff9ebd01

SHA1
4ac7a11682951faa9a2158955ec2887f2b54b7b2

SHA256
8da116d5ff7ffd87e9839c748496155d74e6a425028514d324ddcf33ac00570f

SHA512
ee5046838fef65364b93468ac35d97a6d1d028d897b8088fee77a88b977177c8d22e463b369a44048a40f2ea2e50f3acc54bcf314571c146a7602b67680260b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Adhaprop\ddp_past.dll

Filesize
672KB

MD5
281ab1908c42955077a6ae9434c404a0

SHA1
d3dba9abdce5630188d8c51886e889305a698607

SHA256
8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7

SHA512
212d88553d5b92b278aa96f9cf7fd523ad1a95f7729bdf7e260ec321d8165bb0b110bd0ecb1af8ed896ee2f05b491077bdca8703c0c0524ff650914609852d99

Download Submit
memory/592-62-0x000001B5402E0000-0x000001B540391000-memory.dmp

Filesize
708KB

Download
memory/592-84-0x000001B5402E0000-0x000001B540391000-memory.dmp

Filesize
708KB

Download
memory/592-66-0x000001B5402E0000-0x000001B540391000-memory.dmp

Filesize
708KB

Download
memory/940-78-0x00000197B2E40000-0x00000197B2EF1000-memory.dmp

Filesize
708KB

Download
memory/940-74-0x00000197B2E40000-0x00000197B2EF1000-memory.dmp

Filesize
708KB

Download
memory/2256-72-0x000001F194030000-0x000001F1940E1000-memory.dmp

Filesize
708KB

Download
memory/2256-67-0x000001F194030000-0x000001F1940E1000-memory.dmp

Filesize
708KB

Download
memory/2256-71-0x000001F194030000-0x000001F1940E1000-memory.dmp

Filesize
708KB

Download
memory/2272-81-0x0000000000830000-0x00000000008E1000-memory.dmp

Filesize
708KB

Download
memory/2272-21-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2272-22-0x0000000000830000-0x00000000008E1000-memory.dmp

Filesize
708KB

Download
memory/2272-17-0x0000000000830000-0x00000000008E1000-memory.dmp

Filesize
708KB

Download
memory/2272-26-0x0000000000830000-0x00000000008E1000-memory.dmp

Filesize
708KB

Download
memory/2848-7-0x0000000003480000-0x00000000034CA000-memory.dmp

Filesize
296KB

Download
memory/2848-3-0x0000000002A80000-0x0000000003431000-memory.dmp

Filesize
9.7MB

Download
memory/2848-25-0x0000000002A80000-0x0000000003431000-memory.dmp

Filesize
9.7MB

Download
memory/2848-14-0x0000000003480000-0x00000000034CA000-memory.dmp

Filesize
296KB

Download
memory/2848-4-0x0000000002A80000-0x0000000003431000-memory.dmp

Filesize
9.7MB

Download
memory/2848-0-0x0000000002A80000-0x0000000003431000-memory.dmp

Filesize
9.7MB

Download
memory/2848-1-0x0000000002A80000-0x0000000003431000-memory.dmp

Filesize
9.7MB

Download
memory/2848-2-0x0000000002B1D000-0x0000000002B22000-memory.dmp

Filesize
20KB

Download
memory/3476-29-0x0000000002EC0000-0x0000000002F71000-memory.dmp

Filesize
708KB

Download
memory/3476-38-0x0000000002EC0000-0x0000000002F71000-memory.dmp

Filesize
708KB

Download
memory/3476-41-0x0000000002EC0000-0x0000000002F71000-memory.dmp

Filesize
708KB

Download
memory/3476-39-0x0000000002EC0000-0x0000000002F71000-memory.dmp

Filesize
708KB

Download
memory/3476-82-0x0000000002EC0000-0x0000000002F71000-memory.dmp

Filesize
708KB

Download
memory/3476-36-0x0000000002EC0000-0x0000000002F71000-memory.dmp

Filesize
708KB

Download
memory/3476-34-0x0000000002EC0000-0x0000000002F71000-memory.dmp

Filesize
708KB

Download
memory/3476-73-0x0000000002EC0000-0x0000000002F71000-memory.dmp

Filesize
708KB

Download
memory/3476-33-0x0000000002EC0000-0x0000000002F71000-memory.dmp

Filesize
708KB

Download
memory/3476-35-0x0000000002EC0000-0x0000000002F71000-memory.dmp

Filesize
708KB

Download
memory/3476-32-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3872-60-0x000001CAA5230000-0x000001CAA52E1000-memory.dmp

Filesize
708KB

Download
memory/3872-56-0x000001CAA5230000-0x000001CAA52E1000-memory.dmp

Filesize
708KB

Download
memory/4004-42-0x00000231B26F0000-0x00000231B27A1000-memory.dmp

Filesize
708KB

Download
memory/4004-48-0x00000231B26F0000-0x00000231B27A1000-memory.dmp

Filesize
708KB

Download
memory/4004-47-0x00000231B27B0000-0x00000231B27B1000-memory.dmp

Filesize
4KB

Download
memory/4004-83-0x00000231B26F0000-0x00000231B27A1000-memory.dmp

Filesize
708KB

Download
memory/4204-54-0x0000019487650000-0x0000019487651000-memory.dmp

Filesize
4KB

Download
memory/4204-55-0x0000019488010000-0x00000194880C1000-memory.dmp

Filesize
708KB

Download
memory/4204-86-0x0000019488010000-0x00000194880C1000-memory.dmp

Filesize
708KB

Download
memory/4204-49-0x0000019488010000-0x00000194880C1000-memory.dmp

Filesize
708KB

Download