gozi | 5ecf8bf6a98fe1380171b15bafdd0523f2b85d27e7bc4cb73e36a6717a15b93f | Triage

Submit
Reports

Overview

overview

Static

static

installer.exe

windows10-2004-x64

8

Sharing

General

Target

installer.exe
Size

195KB
Sample

240628-xge6fasbln
MD5

9dd7f4587140ec81cc261c6d05bac60b
SHA1

6e999875685482810bb236383033195d329b923c
SHA256

5ecf8bf6a98fe1380171b15bafdd0523f2b85d27e7bc4cb73e36a6717a15b93f
SHA512

077224198ea5ac2d9b64a8fca1eb9141be35cee5ed4a625445024dc0939e797450ae7a94d9cb1ae392c7c24dfb8eb6dcd3a0cf2fdcd456640c71467538bb7ee1
SSDEEP

6144:KbemuOXxbzS5llg9JCWWRipfrA4is0rA:KjxxvSl6Fai9rA4iJ

Score

10^/10

gozi 1000 isfb persistence ransomware

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

installer.exe

Resource

win10v2004-20240508-en

persistence ransomware

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

1000

C2

repeseparation.ru

Attributes

exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Targets

- Target
  
  installer.exe
- Size
  
  195KB
- MD5
  
  9dd7f4587140ec81cc261c6d05bac60b
- SHA1
  
  6e999875685482810bb236383033195d329b923c
- SHA256
  
  5ecf8bf6a98fe1380171b15bafdd0523f2b85d27e7bc4cb73e36a6717a15b93f
- SHA512
  
  077224198ea5ac2d9b64a8fca1eb9141be35cee5ed4a625445024dc0939e797450ae7a94d9cb1ae392c7c24dfb8eb6dcd3a0cf2fdcd456640c71467538bb7ee1
- SSDEEP
  
  6144:KbemuOXxbzS5llg9JCWWRipfrA4is0rA:KjxxvSl6Fai9rA4iJ
Score

8^/10

persistence ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Hide Artifacts

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

Resource Development

Reconnaissance

Tasks

static1

behavioral1

persistenceransomware

© 2018-2024

Terms | Privacy