gozi | 04d6963ab02c1f483cb9ff7af68c15456740099de5dd84dc68a77e9511772129

Analysis

max time kernel
146s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04d6963ab02c1f483cb9ff7af68c15456740099de5dd84dc68a77e9511772129.dll
Size

761KB
MD5

daacc7852627bd0e71b8e3d2a4a6543b
SHA1

f47462d2b9d2b375684f98f011e399c25fe2e7dd
SHA256

04d6963ab02c1f483cb9ff7af68c15456740099de5dd84dc68a77e9511772129
SHA512

4c6fe5679e123443c3ec19094683ba834dbec0515b56bcde43c33d423db2684b108d6f9c457c9c10daa4765054c7d8bdc163b59a2c75464c42d7bcb6a18b2cd8
SSDEEP

12288:JauX9Io7goxCqOJC0g+j4gBoB3KD/KZExnbCZwcSeVX6OF+XN15xJgiC42D6r3ec:Jah7oYJRrLDSZExnbCvSyF+XW/6T

Score

10^/10

gozi 1000 banker discovery isfb persistence trojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

http://ey7kuuklgieop2pq.onion

http://maiamirainy.at

http://drunt.at

http://news-deck.at

Attributes

build
216098
dga_base_url
constitution.org/usdeclar.txt
dga_crc
0x4eb7d2ca
dga_season
10
dga_tlds
com

ru

org
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audiawex = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cleakmon\\CIRCmifs.dll\",DllRegisterServer"	Explorer.EXE

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1136 set thread context of 2096	1136	rundll32.exe	91
PID 2096 set thread context of 3412	2096	control.exe	56
PID 3412 set thread context of 3888	3412	Explorer.EXE	60
PID 2096 set thread context of 4668	2096	control.exe	94
PID 3412 set thread context of 3488	3412	Explorer.EXE	62
PID 3412 set thread context of 3868	3412	Explorer.EXE	76
PID 3412 set thread context of 4208	3412	Explorer.EXE	108

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1136	rundll32.exe
1136	rundll32.exe
3412	Explorer.EXE
3412	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1136	rundll32.exe
2096	control.exe
3412	Explorer.EXE
2096	control.exe
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3888	RuntimeBroker.exe
Token: SeShutdownPrivilege	3888	RuntimeBroker.exe
Token: SeShutdownPrivilege	3888	RuntimeBroker.exe
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3412	Explorer.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1136	2324	rundll32.exe	83
PID 2324 wrote to memory of 1136	2324	rundll32.exe	83
PID 2324 wrote to memory of 1136	2324	rundll32.exe	83
PID 1136 wrote to memory of 2096	1136	rundll32.exe	91
PID 1136 wrote to memory of 2096	1136	rundll32.exe	91
PID 1136 wrote to memory of 2096	1136	rundll32.exe	91
PID 1136 wrote to memory of 2096	1136	rundll32.exe	91
PID 1136 wrote to memory of 2096	1136	rundll32.exe	91
PID 2096 wrote to memory of 3412	2096	control.exe	56
PID 2096 wrote to memory of 3412	2096	control.exe	56
PID 2096 wrote to memory of 3412	2096	control.exe	56
PID 3412 wrote to memory of 3888	3412	Explorer.EXE	60
PID 2096 wrote to memory of 4668	2096	control.exe	94
PID 2096 wrote to memory of 4668	2096	control.exe	94
PID 2096 wrote to memory of 4668	2096	control.exe	94
PID 3412 wrote to memory of 3888	3412	Explorer.EXE	60
PID 3412 wrote to memory of 3888	3412	Explorer.EXE	60
PID 3412 wrote to memory of 3488	3412	Explorer.EXE	62
PID 2096 wrote to memory of 4668	2096	control.exe	94
PID 2096 wrote to memory of 4668	2096	control.exe	94
PID 3412 wrote to memory of 3488	3412	Explorer.EXE	62
PID 3412 wrote to memory of 3488	3412	Explorer.EXE	62
PID 3412 wrote to memory of 3868	3412	Explorer.EXE	76
PID 3412 wrote to memory of 3868	3412	Explorer.EXE	76
PID 3412 wrote to memory of 3868	3412	Explorer.EXE	76
PID 3412 wrote to memory of 4552	3412	Explorer.EXE	102
PID 3412 wrote to memory of 4552	3412	Explorer.EXE	102
PID 4552 wrote to memory of 1680	4552	cmd.exe	104
PID 4552 wrote to memory of 1680	4552	cmd.exe	104
PID 3412 wrote to memory of 4844	3412	Explorer.EXE	106
PID 3412 wrote to memory of 4844	3412	Explorer.EXE	106
PID 3412 wrote to memory of 4208	3412	Explorer.EXE	108
PID 3412 wrote to memory of 4208	3412	Explorer.EXE	108
PID 3412 wrote to memory of 4208	3412	Explorer.EXE	108
PID 3412 wrote to memory of 4208	3412	Explorer.EXE	108
PID 3412 wrote to memory of 4208	3412	Explorer.EXE	108
PID 3412 wrote to memory of 4208	3412	Explorer.EXE	108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\04d6963ab02c1f483cb9ff7af68c15456740099de5dd84dc68a77e9511772129.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\04d6963ab02c1f483cb9ff7af68c15456740099de5dd84dc68a77e9511772129.dll,#1
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\system32\control.exe
      C:\Windows\system32\control.exe /?
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
        5⤵
        
        PID:4668
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\9CD0.bi1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\9CD0.bi1"
  2⤵
  PID:4844
- C:\Windows\syswow64\cmd.exe
  "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4208

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3488

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9CD0.bi1

Filesize
122B

MD5
4e722b4828cea8a135eb7a2bfd92ab01

SHA1
8e1abee672a878fd9c1d33e242502205d9b2da55

SHA256
c4d1feacbfb9ecd1a24e9b6d3e51fc7e9797da543d319f43ff0917db4c1e5e02

SHA512
88c0d6b07d45f906164b2c1178a938ffb56c4fa7288853a02f460339bca026fa58b26a37f52ea846bc205e1828f12f0361d1b0425a1106c8b1a947856d4ee4e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Cleakmon\CIRCmifs.dll

Filesize
761KB

MD5
daacc7852627bd0e71b8e3d2a4a6543b

SHA1
f47462d2b9d2b375684f98f011e399c25fe2e7dd

SHA256
04d6963ab02c1f483cb9ff7af68c15456740099de5dd84dc68a77e9511772129

SHA512
4c6fe5679e123443c3ec19094683ba834dbec0515b56bcde43c33d423db2684b108d6f9c457c9c10daa4765054c7d8bdc163b59a2c75464c42d7bcb6a18b2cd8

Download Submit
memory/1136-13-0x00000000006D0000-0x000000000071A000-memory.dmp

Filesize
296KB

Download
memory/1136-6-0x00000000006D0000-0x000000000071A000-memory.dmp

Filesize
296KB

Download
memory/1136-15-0x0000000074089000-0x000000007408C000-memory.dmp

Filesize
12KB

Download
memory/1136-22-0x0000000073FD0000-0x000000007499E000-memory.dmp

Filesize
9.8MB

Download
memory/1136-3-0x0000000073FD0000-0x000000007499E000-memory.dmp

Filesize
9.8MB

Download
memory/1136-2-0x0000000073FD0000-0x000000007499E000-memory.dmp

Filesize
9.8MB

Download
memory/1136-0-0x0000000074089000-0x000000007408C000-memory.dmp

Filesize
12KB

Download
memory/2096-23-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2096-17-0x0000000000710000-0x00000000007C4000-memory.dmp

Filesize
720KB

Download
memory/2096-24-0x0000000000710000-0x00000000007C4000-memory.dmp

Filesize
720KB

Download
memory/2096-54-0x0000000000710000-0x00000000007C4000-memory.dmp

Filesize
720KB

Download
memory/3412-25-0x00000000036C0000-0x0000000003774000-memory.dmp

Filesize
720KB

Download
memory/3412-30-0x00000000036C0000-0x0000000003774000-memory.dmp

Filesize
720KB

Download
memory/3412-55-0x00000000036C0000-0x0000000003774000-memory.dmp

Filesize
720KB

Download
memory/3412-29-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/3488-45-0x00000163FB650000-0x00000163FB704000-memory.dmp

Filesize
720KB

Download
memory/3868-50-0x000001B3417A0000-0x000001B341854000-memory.dmp

Filesize
720KB

Download
memory/3888-33-0x000001EA34930000-0x000001EA349E4000-memory.dmp

Filesize
720KB

Download
memory/3888-38-0x000001EA34930000-0x000001EA349E4000-memory.dmp

Filesize
720KB

Download
memory/3888-37-0x000001EA325A0000-0x000001EA325A1000-memory.dmp

Filesize
4KB

Download
memory/4208-61-0x00000000015F0000-0x0000000001697000-memory.dmp

Filesize
668KB

Download
memory/4668-40-0x000002625D8C0000-0x000002625D974000-memory.dmp

Filesize
720KB

Download
memory/4668-49-0x000002625D8C0000-0x000002625D974000-memory.dmp

Filesize
720KB

Download
memory/4668-44-0x000002625D6B0000-0x000002625D6B1000-memory.dmp

Filesize
4KB

Download