Malware Analysis Report

2025-03-15 07:27

Sample ID 241123-v5bf2synbv
Target 1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe
SHA256 1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9
Tags
upx isfb gozi banker discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9

Threat Level: Known bad

The file 1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi banker discovery trojan

Gozi family

Gozi

Executes dropped EXE

Checks computer location settings

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-23 17:33

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-23 17:33

Reported

2024-11-23 17:35

Platform

win7-20240708-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"

Signatures

Gozi

banker trojan gozi

Gozi family

gozi

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\ash_inet2.dll C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe N/A
File opened for modification C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\ash_inet2.dll C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe N/A
File opened for modification C:\Program Files (x86)\Ashampoo C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe N/A
File opened for modification C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19 C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe N/A
File created C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\__tmp_rar_sfx_access_check_259449896 C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe

"C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E292.tmp\E293.bat C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"

C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe

2.exe

Network

N/A

Files

memory/2172-0-0x0000000000400000-0x00000000005B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E292.tmp\E293.bat

MD5 a4d54825c48a32efc53e34ea0f588d1c
SHA1 cd5815db470cf3af4d6ce658151eb24fef1c664f
SHA256 a80606f4473428d06cee3e62fd68ec7fc9b99a563260a5ed0d012d76634efe39
SHA512 74058d5b0e14ad7b453ed6119e483d3ac3281405f29f2f804c67c0e3b112c68349d8893e8232e3ca93695f43705fcf6a18ec3f6016e68bfe11b1b10a79ba723b

C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe

MD5 a99128027215ad1dbb57216f1609bd2b
SHA1 aa945b1d72e6593d6961f2186a99dacf40910153
SHA256 8c9345cd34b8f57a49574df8131f44b7d643edd20a653cd51f508dafaad0c4de
SHA512 391d3dfbbbcc2f22d7fab75572bf5fa6876e0703ad688fb00a293b1df4fae53077c64139d4a2f14fbe9d088595974fde91d4da7137f5c91fda36a6eb89a2176c

memory/2172-10-0x0000000000400000-0x00000000005B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-23 17:33

Reported

2024-11-23 17:35

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"

Signatures

Gozi

banker trojan gozi

Gozi family

gozi

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\ash_inet2.dll C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe N/A
File opened for modification C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\ash_inet2.dll C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe N/A
File opened for modification C:\Program Files (x86)\Ashampoo C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe N/A
File opened for modification C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19 C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe N/A
File created C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\__tmp_rar_sfx_access_check_240622734 C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe

"C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\9A1E.bat C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"

C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe

2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/5068-0-0x0000000000400000-0x00000000005B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\9A1E.bat

MD5 a4d54825c48a32efc53e34ea0f588d1c
SHA1 cd5815db470cf3af4d6ce658151eb24fef1c664f
SHA256 a80606f4473428d06cee3e62fd68ec7fc9b99a563260a5ed0d012d76634efe39
SHA512 74058d5b0e14ad7b453ed6119e483d3ac3281405f29f2f804c67c0e3b112c68349d8893e8232e3ca93695f43705fcf6a18ec3f6016e68bfe11b1b10a79ba723b

C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe

MD5 a99128027215ad1dbb57216f1609bd2b
SHA1 aa945b1d72e6593d6961f2186a99dacf40910153
SHA256 8c9345cd34b8f57a49574df8131f44b7d643edd20a653cd51f508dafaad0c4de
SHA512 391d3dfbbbcc2f22d7fab75572bf5fa6876e0703ad688fb00a293b1df4fae53077c64139d4a2f14fbe9d088595974fde91d4da7137f5c91fda36a6eb89a2176c

memory/5068-10-0x0000000000400000-0x00000000005B5000-memory.dmp