Analysis

  • max time kernel
    140s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 19:39

General

  • Target

    058d1a8bce641c7ec149a1ffc71611b45d72dc3493d5ddf29eece71e4d9c6d84.exe

  • Size

    173KB

  • MD5

    b2e77c322bfb16845c90c5a1ada5dc9d

  • SHA1

    696993009f0c8737c5c04445a59696ca0ca5742f

  • SHA256

    058d1a8bce641c7ec149a1ffc71611b45d72dc3493d5ddf29eece71e4d9c6d84

  • SHA512

    39e76a90aad55e0f5e752bbce1dfce817f60a3173bff193e490994f6fb80ec6ae0f8ef32ef128ff98505570b508f797df099f3a504a2d735a4c7a627ddf49110

  • SSDEEP

    3072:o3QwHHZekLlcbo6xjfIWFymNdlRJs7KkRf+1mU39CLHm7UU:4pEsqDIjmNdjJs7Dfc9Cgb

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214085

Extracted

Family

gozi

Botnet

3490

C2

google.com

gmail.com

wngtdpablo.com

hclement28.com

d33ounorbertoui.top

Attributes
  • build

    214085

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\058d1a8bce641c7ec149a1ffc71611b45d72dc3493d5ddf29eece71e4d9c6d84.exe
    "C:\Users\Admin\AppData\Local\Temp\058d1a8bce641c7ec149a1ffc71611b45d72dc3493d5ddf29eece71e4d9c6d84.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1968
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2848
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2792 CREDAT:275466 /prefetch:2
      2⤵
        PID:1852
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:744
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2620
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      92484b99b3e4594481b94201f3ba4e12

      SHA1

      ab9304b675954571ee7b8ba7e47d0a9529a5ea36

      SHA256

      95e1cd83777acf48183ed694bca934dcae91fd29428267f2d5549119ca4a9179

      SHA512

      cc6ac23e28445963c2c41a0a08ae8ad882e1503f39c89e74509370e2b813e8eb05b9ea01c8afb159286a4ec6314fa290c51f6646d446a1b55262643c43d01529

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      687dff56a7631903928139b504cb2baa

      SHA1

      4b4ce987aab7bd682582e10c971fe7e2b9ad8f59

      SHA256

      1d77f9b1a4bc322ee658408868f836c16c9acbc3cfb9ea33e228abe0dfdab20a

      SHA512

      cd8cf2b0e8615810ec781023340a5d8ff701bb46992dabf5800b1e6bafe5f3efa3773db64f1ec8e8aa02afed582a232669fb61e4f022dce9068c480c40b554a4

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      d97567a64fd570480f5e84c696638179

      SHA1

      7722a38efb00612475717bfcfab26824ed210569

      SHA256

      f90c990716ab87c87f1ba23d4ba91c94d118f41b404ccd28c7d8da10f2acb125

      SHA512

      9c39d1b37dcc9e6a433377a3a0a44a7d93b5c7dad18572cac73eb8594614918329a0f687c6cc1d78b206bdbdf31a30c1f61f24a86ebc4fe0c65ba90d9a837213

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      6b60dcbd24d7374a1f4111456a5e4fc7

      SHA1

      4cc2b8e8ec628359f05f1c2c3f5fc00a763d6c0b

      SHA256

      998e999c5dac32601959a9cc1b99516ba713242c45ed4c41371ef1faa89f7365

      SHA512

      efda5b4dcb712c007ad0601956186158ad47b4ba4e0e96c7a0d6a9d44103563a47fa8a09e777b962d8fb1b3335cbe53853277d157f08894d6bd00e5da1af54fc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      b738270a2e5702df2f6cc6779a1acbac

      SHA1

      2fb0c2428fc768a6bf5f9637b3a986b32dfd65cc

      SHA256

      b636bc70acb40945e2096d9aabd95f31b8c0b7f08c758a9331efe5b8d9c78258

      SHA512

      5579fceb950f598eb288e9fb0d84119782e31b9606d953a2c63f5a54af50bbd1f5d9f17df5bf8e81138cf9bd2474e36a7e3edfcea66080764e8b7d764c922cbc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      f3e1f2b6633e286cd144617ec700b572

      SHA1

      e629344b523858b739d79ea3cf7ce1b89e46fec4

      SHA256

      f1d9549a3afe696dd504f752a65b347c077c327975cea2236da8075b63f27ac3

      SHA512

      300ef7da7e8fa653ec1826369789264262829c553582f0421930d43fa1595122646ff2d1e585b1d05b8904e7a66b9554798afd041b5fbb8f41d258ab32c8c459

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      0422e8a2466ab1015ba01985cd8e28d8

      SHA1

      c9b556efe9172acc9e39aba21c63d1406337f7d1

      SHA256

      4b79c00342ffabf2954ccf37a848d2fde6f2c6947b24491331cd843a330309d8

      SHA512

      35d2e4c47a2812b9fa1e687b2872095701a76548abbc70f8f99f8b28bfc0ac44e1448be8473a31220bc3a473394fb5aebea8d94273f8078c7c30c5cad88bc10c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ffca39ef43d5960aa0fd98418b78edf4

      SHA1

      d363052ee899ea677ac9d997fdb4c66902d34374

      SHA256

      b91829b4bd59d11503c05f5999331e0a6b1640dea209bb12a214aab2c61c0b26

      SHA512

      7b484d1b0eb206e81b8e1426e659362b5b230ab440890087fcc849a3203045be0841df801d23acf3449a49a2a7dcd8351779757ae451f8bbc8a4feca8b86557d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ed7c31ec9b2a1bb6a8186104b85dbd78

      SHA1

      d61ea60277f364d5063443754ecad5a09c1fed90

      SHA256

      897fe5a6ae8b06708e5ab5948b3730284b82d0c13c4a5bbbc29315dcb967622f

      SHA512

      f92599601594cbac89beea67defb74c9358635fba5ffaf6437c0071470775b627c379fdade34247e41681db275298bd9213a551daff48662f94f9b4d6ca565a3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      20121fc779210ae23d0d62879e6dfc3b

      SHA1

      29a4396b541cd62240f0cde6625291f080578bda

      SHA256

      646d1517b54cd2521ab939eb55d5a137f67b08df120ea91888e1f1fef404cdbb

      SHA512

      d9c2c20678762f9c523d1bbd3dfbcbdb9af23ce1989458e53deb287f9911c183a8c263318fc535fd8a5fbe5ea1d772a4a112e6506050839a64fa57690960c359

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      85cd81a110cd9a662c0209d64ae0a1a9

      SHA1

      0f2acbc6019044e4bf2efda0f26e2f2d103d710f

      SHA256

      bde3313eb2c642daf24f0ea6f11044c5b9f24918aeb3c4980a307c29cd7d1a05

      SHA512

      904c0d3ca354dd51e89ffd14dac023a4b98b2e12aec78d0639d71a639c445142eea95387c12bced45c56a792b774e36f2637859e24f2565bb285ae865a1e1764

    • C:\Users\Admin\AppData\Local\Temp\Cab4FA9.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar5048.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\~DF24FF96A1274C4C97.TMP

      Filesize

      16KB

      MD5

      856a4e0e626c62c174f7c20b8a7df0f7

      SHA1

      2d2c22e42c914d2d21b5bc72f39490d64489f909

      SHA256

      6f4189b2d2d71d0f4f8839628d11b03f877394388ba744335504260ce84aba62

      SHA512

      9b341bb2a2258ae85dc81d8e39a0b1f9259fa7ec68b0cee5d96baa172801e3f9368fa334c625f16b2cf9ac31828da7263b4f093e592e84813afd21f4d4c7629a

    • memory/1968-0-0x000000000042E000-0x0000000000431000-memory.dmp

      Filesize

      12KB

    • memory/1968-12-0x00000000003E0000-0x00000000003E2000-memory.dmp

      Filesize

      8KB

    • memory/1968-11-0x0000000000400000-0x0000000000548000-memory.dmp

      Filesize

      1.3MB

    • memory/1968-10-0x000000000042E000-0x0000000000431000-memory.dmp

      Filesize

      12KB

    • memory/1968-3-0x0000000000250000-0x000000000025F000-memory.dmp

      Filesize

      60KB

    • memory/1968-2-0x0000000000400000-0x0000000000548000-memory.dmp

      Filesize

      1.3MB

    • memory/1968-1-0x0000000000400000-0x0000000000548000-memory.dmp

      Filesize

      1.3MB