Analysis

  • max time kernel
    145s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 19:10

General

  • Target

    3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe

  • Size

    304KB

  • MD5

    4c7aa22092360d14d5c799e0bd873d78

  • SHA1

    64372fa56d6cac4c6ec49ea02f3a5ffe32566aa8

  • SHA256

    3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01

  • SHA512

    72d010a5c4ef66c2883410e7d93f9751db47267c91a3c52c24e9f5b39c3953e2a659c1552d88238b053001c4d29ee3fd65bafcc389281aa806c1a6e3cd161555

  • SSDEEP

    6144:Kg4Myj0VKau5jfPcMhV2RRYgUvCwZsUpQitLZWVWJC9OfrOYujPy:kaVKbJcMhVEeRpaU38VQCUwm

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

303

C2

http://aaxvkah7dudzoloq.onion

http://tahhir.at

http://limpopo.at

http://estate-advice.at

Attributes
  • build

    217107

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    worker

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • Unexpected DNS network traffic destination 3 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Users\Admin\AppData\Local\Temp\3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe
      "C:\Users\Admin\AppData\Local\Temp\3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\system32\control.exe
        C:\Windows\system32\control.exe /?
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3784
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
          4⤵
            PID:640
      • C:\Windows\system32\cmd.exe
        cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\7D7A.bi1"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3588
        • C:\Windows\system32\nslookup.exe
          nslookup myip.opendns.com resolver1.opendns.com
          3⤵
            PID:1212
        • C:\Windows\system32\cmd.exe
          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\7D7A.bi1"
          2⤵
            PID:1416
          • C:\Windows\syswow64\cmd.exe
            "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2300
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4040
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:4112
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3344

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\7D7A.bi1

              Filesize

              122B

              MD5

              4e722b4828cea8a135eb7a2bfd92ab01

              SHA1

              8e1abee672a878fd9c1d33e242502205d9b2da55

              SHA256

              c4d1feacbfb9ecd1a24e9b6d3e51fc7e9797da543d319f43ff0917db4c1e5e02

              SHA512

              88c0d6b07d45f906164b2c1178a938ffb56c4fa7288853a02f460339bca026fa58b26a37f52ea846bc205e1828f12f0361d1b0425a1106c8b1a947856d4ee4e4

            • C:\Users\Admin\AppData\Roaming\Microsoft\BdeHxpps\dxilerPS.exe

              Filesize

              304KB

              MD5

              4c7aa22092360d14d5c799e0bd873d78

              SHA1

              64372fa56d6cac4c6ec49ea02f3a5ffe32566aa8

              SHA256

              3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01

              SHA512

              72d010a5c4ef66c2883410e7d93f9751db47267c91a3c52c24e9f5b39c3953e2a659c1552d88238b053001c4d29ee3fd65bafcc389281aa806c1a6e3cd161555

            • memory/640-39-0x000002A1A5E40000-0x000002A1A5EF3000-memory.dmp

              Filesize

              716KB

            • memory/1176-9-0x00000000005F0000-0x000000000063A000-memory.dmp

              Filesize

              296KB

            • memory/1176-2-0x00000000005F0000-0x000000000063A000-memory.dmp

              Filesize

              296KB

            • memory/2300-55-0x00000000017A0000-0x0000000001845000-memory.dmp

              Filesize

              660KB

            • memory/3344-45-0x0000023FD0750000-0x0000023FD0803000-memory.dmp

              Filesize

              716KB

            • memory/3488-24-0x00000000089B0000-0x0000000008A63000-memory.dmp

              Filesize

              716KB

            • memory/3488-19-0x00000000089B0000-0x0000000008A63000-memory.dmp

              Filesize

              716KB

            • memory/3488-23-0x00000000030E0000-0x00000000030E1000-memory.dmp

              Filesize

              4KB

            • memory/3488-49-0x00000000089B0000-0x0000000008A63000-memory.dmp

              Filesize

              716KB

            • memory/3784-17-0x0000000000E90000-0x0000000000F43000-memory.dmp

              Filesize

              716KB

            • memory/3784-13-0x0000000000E90000-0x0000000000F43000-memory.dmp

              Filesize

              716KB

            • memory/3784-12-0x0000000000F50000-0x0000000000F51000-memory.dmp

              Filesize

              4KB

            • memory/3784-44-0x0000000000E90000-0x0000000000F43000-memory.dmp

              Filesize

              716KB

            • memory/4040-32-0x0000019141B70000-0x0000019141C23000-memory.dmp

              Filesize

              716KB

            • memory/4040-31-0x0000019141C30000-0x0000019141C31000-memory.dmp

              Filesize

              4KB

            • memory/4040-27-0x0000019141B70000-0x0000019141C23000-memory.dmp

              Filesize

              716KB

            • memory/4112-43-0x000002B7468F0000-0x000002B7469A3000-memory.dmp

              Filesize

              716KB

            • memory/4112-38-0x000002B745F30000-0x000002B745F31000-memory.dmp

              Filesize

              4KB

            • memory/4112-33-0x000002B7468F0000-0x000002B7469A3000-memory.dmp

              Filesize

              716KB