Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2025, 06:59

General

  • Target

    2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnit.exe

  • Size

    867KB

  • MD5

    2d5e92d6c90ef3ec07d26b04c5a3a1fd

  • SHA1

    30c554d183c709b2701cc91b4527775abb33ab74

  • SHA256

    d27cb7a2bf0aa4d7d49c68555084595f433897992b39a8b61f59b9056b74287b

  • SHA512

    0953e2a402ea8b71708de4bd3df365de135bb7bcebcb5e53919acff4c88cd881b898a057eddac156f057560158057a65c4d051db955a0b1e915565d3a4588fa2

  • SSDEEP

    12288:MASJCsqQtu95V4WUA+6dH1G0p+MU7bo24wmLsG/RgRQrUrF2ClG+pG/YR:MACeQO5V4WUA+6dHN+l9ZL5rF2igYR

Malware Config

Extracted

Family

gozi

Attributes
  • build

    214131

Extracted

Family

gozi

Botnet

5020

C2

settings-win.data.microsoft.com

accrualdewd.xyz

Attributes
  • build

    214131

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnit.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Local\Temp\2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnitmgr.exe
      C:\Users\Admin\AppData\Local\Temp\2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnitmgr.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2384
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 264
        3⤵
        • Program crash
        PID:4656
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2384 -ip 2384
    1⤵
      PID:1644
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      PID:4460
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4408 CREDAT:17410 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1060
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:664 CREDAT:17410 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2928
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4368
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4368 CREDAT:17410 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3036
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3216 CREDAT:17410 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:1588

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

      Filesize

      4KB

      MD5

      da597791be3b6e732f0bc8b20e38ee62

      SHA1

      1125c45d285c360542027d7554a5c442288974de

      SHA256

      5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

      SHA512

      d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

    • C:\Users\Admin\AppData\Local\Temp\2025-02-27_2d5e92d6c90ef3ec07d26b04c5a3a1fd_icedid_ramnitmgr.exe

      Filesize

      105KB

      MD5

      d5ca6e1f080abc64bbb11e098acbeabb

      SHA1

      1849634bf5a65e1baddddd4452c99dfa003e2647

      SHA256

      30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

      SHA512

      aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

    • C:\Users\Admin\AppData\Local\Temp\Kno7E91.tmp

      Filesize

      88KB

      MD5

      002d5646771d31d1e7c57990cc020150

      SHA1

      a28ec731f9106c252f313cca349a68ef94ee3de9

      SHA256

      1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

      SHA512

      689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

    • C:\Users\Admin\AppData\Local\Temp\~DFE0FBC3C42673AF26.TMP

      Filesize

      16KB

      MD5

      86c824cb00958570b10220cabb74769a

      SHA1

      bd9fbb2c8f49b14bffa584dd22a0f4600886ff60

      SHA256

      1e62bdf65fbdf4f93fae180afb14870ac4d49148c9d6535228f1c9e39c3a6c1c

      SHA512

      270d45d9ea782edbec878b8ab4916349bfab7149dc83912f78640359c9f05175e4e90436bc7babc5551685150a7ed7e0c937dec17546727cf6fc8b1e28b3a664

    • memory/2384-4-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/2384-6-0x0000000000560000-0x0000000000561000-memory.dmp

      Filesize

      4KB

    • memory/2384-8-0x0000000000400000-0x000000000045D000-memory.dmp

      Filesize

      372KB

    • memory/3064-11-0x0000000000400000-0x00000000004F6000-memory.dmp

      Filesize

      984KB

    • memory/3064-13-0x0000000002210000-0x000000000221F000-memory.dmp

      Filesize

      60KB

    • memory/3064-16-0x00000000004A5000-0x00000000004A8000-memory.dmp

      Filesize

      12KB

    • memory/3064-17-0x0000000000400000-0x00000000004F6000-memory.dmp

      Filesize

      984KB

    • memory/3064-9-0x00000000004A5000-0x00000000004A8000-memory.dmp

      Filesize

      12KB

    • memory/3064-0-0x0000000000400000-0x00000000004F6000-memory.dmp

      Filesize

      984KB

    • memory/3064-10-0x0000000000400000-0x00000000004F6000-memory.dmp

      Filesize

      984KB