Analysis

  • max time kernel
    140s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 19:47

General

  • Target

    058d1a8bce641c7ec149a1ffc71611b45d72dc3493d5ddf29eece71e4d9c6d84.exe

  • Size

    173KB

  • MD5

    b2e77c322bfb16845c90c5a1ada5dc9d

  • SHA1

    696993009f0c8737c5c04445a59696ca0ca5742f

  • SHA256

    058d1a8bce641c7ec149a1ffc71611b45d72dc3493d5ddf29eece71e4d9c6d84

  • SHA512

    39e76a90aad55e0f5e752bbce1dfce817f60a3173bff193e490994f6fb80ec6ae0f8ef32ef128ff98505570b508f797df099f3a504a2d735a4c7a627ddf49110

  • SSDEEP

    3072:o3QwHHZekLlcbo6xjfIWFymNdlRJs7KkRf+1mU39CLHm7UU:4pEsqDIjmNdjJs7Dfc9Cgb

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214085

Extracted

Family

gozi

Botnet

3490

C2

google.com

gmail.com

wngtdpablo.com

hclement28.com

d33ounorbertoui.top

Attributes
  • build

    214085

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\058d1a8bce641c7ec149a1ffc71611b45d72dc3493d5ddf29eece71e4d9c6d84.exe
    "C:\Users\Admin\AppData\Local\Temp\058d1a8bce641c7ec149a1ffc71611b45d72dc3493d5ddf29eece71e4d9c6d84.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2324
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1344
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:537615 /prefetch:2
      2⤵
        PID:1364
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1612 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:536
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1820 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1256
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ba76cc630158a0bbd0219c3bc3caf517

      SHA1

      b2952bbacfe4c9638f6a66df692001e41029db62

      SHA256

      234408327a3d52c911584b6c3a80d2703961f3708d3c524869206fcba46c9882

      SHA512

      178835d9fc8102ad40ba45758ef8d5dfd8c6c1dc3044b68439a19d19b54bd7cb84d83e3549b0ef9a00d4b24e751518ffa259d3e28c6d5e927f78fd7c1b36c8b3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      5107e97f0664a7b0729696a8395dd779

      SHA1

      3ebf39007e932d2e058a185fa4ac1e8750178f3b

      SHA256

      85da6d0371d60b0ffb14574befe7b983ad348067ad820ffcb3602ae97323b62d

      SHA512

      aab0d0b1abc20ae5eb2b601253007fc8ebe7e1c58f4add8e9682fb898829f997d38af3e7c190d898912d9fc19d80797e6ada69ae60dc82df82dc39ba2272cfa0

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      afbc371a1448f2dbc50d231031a7491c

      SHA1

      b65df7ad7925dc2972a013139fbc015344ddd6a5

      SHA256

      975d506f75f931915b08e47e194f022cb61c6054cee46563b5f907035f044875

      SHA512

      413218bdea14443db31ddf16065a3c62576898d151ce874eb4a94f5b3cdc3fd3db900ae91135e46a93cec12143f145bd4779ee0a45669c41578000af6b4c4b6d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      9e4cde6d21834dde69e8ae01ca172835

      SHA1

      819a45c8d93f3480900e4af041335662d6b040b0

      SHA256

      1fb18689b8a62a03056eba24c8fc325e5c5bfa76932d85963cb747c644734d8c

      SHA512

      11ceea2c5e8ded46e9069acea658d746bbecbac06134cb83e2f14fedc86dbc92c36faedfd38fff3723427d7ac80319c0b0a30213879fb0d951b051ee07d4986b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      9370d6623b5ff36e77a3575278fe76e4

      SHA1

      90caeec56ab0d22945246e66b5f7cdf73f960c97

      SHA256

      e666854a6a030e5bd215cad568519b8f7a15c6579a5a70cc5dc0314914623087

      SHA512

      2c6947a52ff0ec85a1bb9d8ba0ad7862daddcb183fe14198fdc8127c4b81d4ae2e403762401758855eb76b22f6f06b4de30d5aa52667690a8f49b34fe0de32b9

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      4b4722e954ba35811b0067fd93b56576

      SHA1

      fcd7ee7184bb70e3cb2288caca758aaaf705b938

      SHA256

      500b24db1977a3bc036d87492242b0313299b68cd5929ae636184707c87fd0df

      SHA512

      4e3d58f0fa030cf9dbd8d51359d044b6a289ebd72af53b7f34904cc237fd518693fea3c6425f921484731f4d5216b082877ce816218090e9b21ade371cc39edb

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      02a81b791116443daf542e0a945f4f52

      SHA1

      71b097bc303be2fb20b1b509f5202d4b7e6cc43e

      SHA256

      3254bf043a4dbaf9ed26e3e7c1e4393be39233bd6589c57ad08f4cf2545ca4a6

      SHA512

      07e5b8895773eb538d0c6c6e74c494389a987021f52c500ec968f24505e3298478b32ec6552b9f10bf2c80f9e714a236f1004762c2286d8abf19c19b4b9ded26

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      34168d0de4033db3a334e58f5cb1b7af

      SHA1

      410c9fc496ff7d62c1a37dceab61ea63f3bf083c

      SHA256

      fd602906891c17cb6ce2fdd3f6cdfd394020c38fee4ed263a27e45907a46c5a6

      SHA512

      c383af451f52d9e4b425b3623813210f674f532ccb4fbe8f45d43ae16843e3c70486eba2b2438c51fa4f4149f6e17618c12cd6c536b9b886eb8cd1656695a8ac

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      c9a6e8b1e0a7e2e3daf822561b06365f

      SHA1

      f105a38c51acc1d426cf67e76fed21e52c90bcb0

      SHA256

      c77d1244fc8a110ef1eb9530f4bd2118f9202d5225d86607912b91d2f1162435

      SHA512

      a3d5db8e38db682c4b83b638bb92b2b80fbc92417f2f3baaa7b74ea3b02da58df1172746acd189dc97a1122338a4ba1bfb30a201be1e4c83a7ca2204b1a20604

    • C:\Users\Admin\AppData\Local\Temp\Cab8901.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\Tar89AF.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\~DF1AF7C569D8F27A5D.TMP

      Filesize

      16KB

      MD5

      9ae8ea2cc2c0720dde07a667acb1deed

      SHA1

      bc79c9c560fdd778fb798cfcb1bbcbe4ed693a84

      SHA256

      462c877efe5e604dd4703f507442eec781917c0c989b7bb00bc0e7686c146137

      SHA512

      90f4b8c766123d99abe820451f0318eb2ea0995c7860b7fcb9ac52cfb7d15951b67899afd15a1bbe4b400458799932e9bf62abd4fe35593ce983a5976e5d2cdd

    • memory/2324-0-0x000000000042E000-0x0000000000431000-memory.dmp

      Filesize

      12KB

    • memory/2324-12-0x0000000000300000-0x0000000000302000-memory.dmp

      Filesize

      8KB

    • memory/2324-11-0x0000000000400000-0x0000000000548000-memory.dmp

      Filesize

      1.3MB

    • memory/2324-10-0x000000000042E000-0x0000000000431000-memory.dmp

      Filesize

      12KB

    • memory/2324-3-0x0000000000250000-0x000000000025F000-memory.dmp

      Filesize

      60KB

    • memory/2324-1-0x0000000000400000-0x0000000000548000-memory.dmp

      Filesize

      1.3MB

    • memory/2324-2-0x0000000000400000-0x0000000000548000-memory.dmp

      Filesize

      1.3MB