Overview

overview

10

Static

static

10

f4f0429f3d...af.exe

windows7-x64

10

f4f0429f3d...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    54s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4f0429f3d67de78283f6814ae9f914391048dba16eee664292ed13c326348af.exe

  • Size

    3.1MB

  • MD5

    6566b990bd971c1cf0324c1f6682f70a

  • SHA1

    0b4745955d2676938241df1cc6161d5efc8a6b57

  • SHA256

    f4f0429f3d67de78283f6814ae9f914391048dba16eee664292ed13c326348af

  • SHA512

    eba63402fb5d397fc1a4f0ab5e1dc0c7b46282e4dcc80f273883afb2b674e1b2ac5f4faed3e9a04cb0995dc832dd5771e2f14db0cfec1aa35f115663ef5033bf

  • SSDEEP

    49152:Tlad+RofyVkmBukNbWMZ6ZbaHcYz5aAVKiw6ZWqTG93jJ3hWpVcf:YdrfyVkmBPdg3Yz5J/693k+

Score
10/10
gozibankerisfbtrojanupx

Malware Config

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4f0429f3d67de78283f6814ae9f914391048dba16eee664292ed13c326348af.exe
    "C:\Users\Admin\AppData\Local\Temp\f4f0429f3d67de78283f6814ae9f914391048dba16eee664292ed13c326348af.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\xiaodaxzqxia\n.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\reg.exe
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
        3⤵
          PID:3452
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\xiaodaxzqxia\A.vbs"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4820
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\xiaodaxzqxia\n.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4612
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "1201" /d "0" /t REG_DWORD /f
            4⤵
              PID:3664
        • C:\Users\Public\xiaodaxzqxia\v.exe
          "C:\Users\Public\xiaodaxzqxia\v.exe" -o -d C:\Users\Public\xiaodaxzqxia C:\Users\Public\xiaodaxzqxia\111
          2⤵
          • Executes dropped EXE
          PID:4472
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3576
        • C:\Windows\hh.exe
          "C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\2241323910214173\A11.chm
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:2212
        • C:\Windows\hh.exe
          "C:\Windows\hh.exe" C:\Users\Public\cxzvasdfg\2241323910214173\A11.chm
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4752

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\HTML Help\hh.dat
          Filesize

          8KB

          MD5

          2cecc1a89e4c2ec00248bc61e2e0f486

          SHA1

          02ee2356db70bcbb3a7f096d32486326a5679cef

          SHA256

          12ebc0cd0a86f1267d46acb4c004b51583ae9b4ade1874c1fb376c250e4a302c

          SHA512

          285c249c2365aa79de6088b94c521055f900d973d87eaff12d382fe123f572b62f18d6ee9d4d2903e23af66696291ebf82f8720d4cc898197c2e2248a6567a55

          Download Submit
        • C:\Users\Public\cxzvasdfg\2241323910214173\A11.chm
          Filesize

          9KB

          MD5

          8dc3f638086ac2a3c5add4d77dcc0468

          SHA1

          1112422c310809cbc9659f44a3f25bc123d2f822

          SHA256

          8650d112c9b776fd5cc8644178daad65ce131da397e82f38d25e39ab70d86d0f

          SHA512

          a6436bee9441b709f5f6c54e1da854f1e0fe4483fb9e757e8422d9d72f19975b20c982e8dd1adadd8ed27378346905795c06ae99aab4183fa6bff2bb768fbd8d

          Download Submit
        • C:\Users\Public\xiaodaxzqxia\A.vbs
          Filesize

          107B

          MD5

          bcb223ea9c0598f04684216bcd0e12a6

          SHA1

          2661c8fbca3654a29fa261def7f16ea23a6f3165

          SHA256

          ef2113720c94cbe4cb494d6e24d26803b4b1a094e35e4285cd4a2f5665ef2c37

          SHA512

          77e440462544ca9f711f9241096601060080f5751651cab8a796d57ed74c424f03a9237a653c17a386c1ef654e6192d0e54080632dacff15a28a46564e639682

          Download Submit
        • C:\Users\Public\xiaodaxzqxia\n.bat
          Filesize

          263B

          MD5

          c7d8b33e05722104d63de564a5d92b01

          SHA1

          fd703f1c71ac1dae65dc34f3521854604cec8091

          SHA256

          538ce88a3eed5a98c6a021a4c541080c5cfb652962f37da620e35b537513317a

          SHA512

          54a80fc6ad3f08743dc1655c379de79f9496086a9a18f4716fc9a9d6a6fe4fd527dd4ac099c57408090b73903c64fa38d4723783708068878aa6e18c6cc0d08e

          Download Submit
        • C:\Users\Public\xiaodaxzqxia\v.exe
          Filesize

          161KB

          MD5

          fecf803f7d84d4cfa81277298574d6e6

          SHA1

          0fd9a61bf9a361f87661de295e70a9c6795fe6a1

          SHA256

          81046f943d26501561612a629d8be95af254bc161011ba8a62d25c34c16d6d2a

          SHA512

          a4e2e2dfc98a874f7ec8318c40500b0e481fa4476d75d559f2895ce29fbe793a889fb2390220a25ab919deac477ada0c904b30f002324529285bda94292b48a4

          Download Submit
        • memory/4472-20-0x0000000000400000-0x000000000043D000-memory.dmp
          Filesize

          244KB

          Download
        • memory/5112-0-0x0000000000400000-0x0000000000719000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/5112-8-0x0000000000400000-0x0000000000719000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/5112-32-0x0000000000400000-0x0000000000719000-memory.dmp
          Filesize

          3.1MB

          Download