Overview

overview

10

Static

static

10

f4f0429f3d...af.exe

windows7-x64

10

f4f0429f3d...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2024 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4f0429f3d67de78283f6814ae9f914391048dba16eee664292ed13c326348af.exe

  • Size

    3.1MB

  • MD5

    6566b990bd971c1cf0324c1f6682f70a

  • SHA1

    0b4745955d2676938241df1cc6161d5efc8a6b57

  • SHA256

    f4f0429f3d67de78283f6814ae9f914391048dba16eee664292ed13c326348af

  • SHA512

    eba63402fb5d397fc1a4f0ab5e1dc0c7b46282e4dcc80f273883afb2b674e1b2ac5f4faed3e9a04cb0995dc832dd5771e2f14db0cfec1aa35f115663ef5033bf

  • SSDEEP

    49152:Tlad+RofyVkmBukNbWMZ6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVcf:YdrfyVkmBPdg3Yz5J/693k+

Score
10/10
gozibankerisfbtrojanupx

Malware Config

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4f0429f3d67de78283f6814ae9f914391048dba16eee664292ed13c326348af.exe
    "C:\Users\Admin\AppData\Local\Temp\f4f0429f3d67de78283f6814ae9f914391048dba16eee664292ed13c326348af.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Public\xiaodaxzqxia\n.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
        3⤵
          PID:2604
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\xiaodaxzqxia\A.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Public\xiaodaxzqxia\n.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
            4⤵
              PID:2780
        • C:\Users\Public\xiaodaxzqxia\v.exe
          "C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
          2⤵
          • Executes dropped EXE
          PID:2740
      • C:\Windows\hh.exe
        "C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\8510366750615495\A11.chm
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2796
      • C:\Windows\hh.exe
        "C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\8510366750615495\A11.chm
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3048

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
        Filesize

        8KB

        MD5

        942e2f8e990c1092b87f14522e4fb217

        SHA1

        a7e4a678a8e122263c3591a040c4194938f420e9

        SHA256

        ba551afebaed2900be08c1e3b376733209a12afe2b8c9997c13a712007c97a1f

        SHA512

        054239569df0002e86d37f696b4cec61be1a7b0d21baaabed9f46578e1878664a6e56b92c45e2e4070779fddcf703f7b878521e4ebb55cf3faf5c00de1865456

        Download Submit
      • C:\Users\Public\cxzvasdfg\8510366750615495\A11.chm
        Filesize

        9KB

        MD5

        8dc3f638086ac2a3c5add4d77dcc0468

        SHA1

        1112422c310809cbc9659f44a3f25bc123d2f822

        SHA256

        8650d112c9b776fd5cc8644178daad65ce131da397e82f38d25e39ab70d86d0f

        SHA512

        a6436bee9441b709f5f6c54e1da854f1e0fe4483fb9e757e8422d9d72f19975b20c982e8dd1adadd8ed27378346905795c06ae99aab4183fa6bff2bb768fbd8d

        Download Submit
      • C:\Users\Public\xiaodaxzqxia\A.vbs
        Filesize

        107B

        MD5

        bcb223ea9c0598f04684216bcd0e12a6

        SHA1

        2661c8fbca3654a29fa261def7f16ea23a6f3165

        SHA256

        ef2113720c94cbe4cb494d6e24d26803b4b1a094e35e4285cd4a2f5665ef2c37

        SHA512

        77e440462544ca9f711f9241096601060080f5751651cab8a796d57ed74c424f03a9237a653c17a386c1ef654e6192d0e54080632dacff15a28a46564e639682

        Download Submit
      • C:\Users\Public\xiaodaxzqxia\n.bat
        Filesize

        263B

        MD5

        c7d8b33e05722104d63de564a5d92b01

        SHA1

        fd703f1c71ac1dae65dc34f3521854604cec8091

        SHA256

        538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

        SHA512

        54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

        Download Submit
      • C:\Users\Public\xiaodaxzqxia\v.exe
        Filesize

        161KB

        MD5

        fecf803f7d84d4cfa81277298574d6e6

        SHA1

        0fd9a61bf9a361f87661de295e70a9c6795fe6a1

        SHA256

        81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

        SHA512

        a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

        Download Submit
      • memory/2740-29-0x0000000000400000-0x000000000043D000-memory.dmp
        Filesize

        244KB

        Download
      • memory/2920-0-0x0000000000400000-0x0000000000719000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2920-13-0x0000000000400000-0x0000000000719000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2920-38-0x0000000000400000-0x0000000000719000-memory.dmp
        Filesize

        3.1MB

        Download