Analysis

  • max time kernel
    140s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 17:54

General

  • Target

    5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326.dll

  • Size

    744KB

  • MD5

    d6d4942cd0282dbbb0e34276706e6bab

  • SHA1

    90a17a059b290a2d5becbff3ec9fe4dabdfc06ae

  • SHA256

    5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326

  • SHA512

    ab028fae00d51822e25e38829ee213905d77e6810cad2339e6b2c54530f235596acd749878ef0a65cf10950f40aa4df45c3c7c8d9550add3069c5cd1734f066c

  • SSDEEP

    12288:4GzKiFJSk5OWpk0KQlL7QQDprnF0xfHHlsTRRZC7Emy/Kt28nxub/lgkjK7l6kXC:9+iFJJ5OWpk0KQh8QD8uPZC7EojvkjKa

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

7405

C2

signin.microsoft.com

login.microsoft.com

linerstats.com

linerstats.bar

infeetic.co

Attributes
  • base_path

    /includes/

  • build

    250190

  • dns_servers

    107.174.86.134

    107.175.127.22

  • exe_type

    loader

  • extension

    .img

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f65108386662cc4780882e06928dd940ea6c75235bf8e4c09079e6e40045326.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cd rose C
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1416
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c cd dicti
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1920
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1812
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4388
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4856 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2164-0-0x00000000754F7000-0x00000000754FB000-memory.dmp

    Filesize

    16KB

  • memory/2164-1-0x0000000075440000-0x000000007550B000-memory.dmp

    Filesize

    812KB

  • memory/2164-2-0x0000000075440000-0x000000007550B000-memory.dmp

    Filesize

    812KB

  • memory/2164-3-0x0000000075440000-0x000000007550B000-memory.dmp

    Filesize

    812KB

  • memory/2164-4-0x00000000754F7000-0x00000000754FB000-memory.dmp

    Filesize

    16KB

  • memory/2164-5-0x0000000075440000-0x000000007550B000-memory.dmp

    Filesize

    812KB

  • memory/2164-6-0x0000000075440000-0x000000007550B000-memory.dmp

    Filesize

    812KB

  • memory/2164-8-0x0000000075440000-0x000000007550B000-memory.dmp

    Filesize

    812KB

  • memory/2164-9-0x0000000002AF0000-0x0000000002B00000-memory.dmp

    Filesize

    64KB

  • memory/2164-12-0x0000000075440000-0x000000007550B000-memory.dmp

    Filesize

    812KB