Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    24-11-2020 10:57

General

  • Target

    5fbce6bbc8cc4png.dll

  • Size

    114KB

  • MD5

    df765ccd4b1c44dade295ab32b43a73e

  • SHA1

    f32ebd4b964d06f350207ee84d041f1c83a79142

  • SHA256

    184a4559b5b36330ba844ca4cd9408aed2f38290bf4cb8ad3ba6e129423a0bd0

  • SHA512

    eeab6e97190411e37ff95d641b508c98a22c1a9408a7e4c03502d0a85db012977eb8f0e400d2039e71c24511a82d32bcd138c2504bcd4dfd94f21e54d42646d4

Score
10/10

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 118 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5fbce6bbc8cc4png.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\5fbce6bbc8cc4png.dll
      2⤵
        PID:1632
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1120
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1696 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1760
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:280
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:968

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
      MD5

      afcb19f43741d5d167c1d7d1e92cbe6a

      SHA1

      2f952eb60dfaea443fd441cf8006be06c45123a9

      SHA256

      490b3d550223851b451b34e1dad42406046577e2a9b95c3aba73046e4c56ada4

      SHA512

      89922c9f0c7ddbc4b3242f09c64ad862b6bd8ec5206af061f7e8ece0c766e8e9d549324703abc90e5908748cdefd6bbd1042f20c00d7ee57f078242beca378e2

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
      MD5

      93ca24c93b1effccd1fa8cbcb1d62cf4

      SHA1

      c3837af12b7a3f72be3276554be211e5917dfb1d

      SHA256

      2d81acd1c7076b11e99bbcdf3ca42761743776f6d4fc352df6bda730ef916066

      SHA512

      dac7c223163ca13c83c0f07bf09ac682870dae2022266693b22fb693436f0639dbfd0e887fd988c2f35930c19f181249364889b2845fcfac753aa79290809a3f

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\robot[1].png
      MD5

      4c9acf280b47cef7def3fc91a34c7ffe

      SHA1

      c32bb847daf52117ab93b723d7c57d8b1e75d36b

      SHA256

      5f9fc5b3fbddf0e72c5c56cdcfc81c6e10c617d70b1b93fbe1e4679a8797bff7

      SHA512

      369d5888e0d19b46cb998ea166d421f98703aec7d82a02dc7ae10409aec253a7ce099d208500b4e39779526219301c66c2fd59fe92170b324e70cf63ce2b429c

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O1R1CL99\googlelogo_color_150x54dp[1].png
      MD5

      9d73b3aa30bce9d8f166de5178ae4338

      SHA1

      d0cbc46850d8ed54625a3b2b01a2c31f37977e75

      SHA256

      dbef5e5530003b7233e944856c23d1437902a2d3568cdfd2beaf2166e9ca9139

      SHA512

      8e55d1677cdbfe9db6700840041c815329a57df69e303adc1f994757c64100fe4a3a17e86ef4613f4243e29014517234debfbcee58dab9fc56c81dd147fdc058

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YQEMFACW.txt
      MD5

      c63ee6ab25bb6f70c2190408d0a90599

      SHA1

      9defa5d919db3d1504729cb07bf1e10edc794a76

      SHA256

      f805e3dcc46374fbf67df4548f26f74ad37b035d665ffd51904953138fbb82ad

      SHA512

      8de6c9b6fdadccaf6f5a3e2142378efa0132bf2cdbe6e39e4b8129f11760dd5572abf82b099fc9735cf75fe34c23dfda7633ecf3f67d9f628f75adb9017d6ef8

    • memory/280-13-0x000000000B320000-0x000000000B37D000-memory.dmp
      Filesize

      372KB

    • memory/280-9-0x0000000000000000-mapping.dmp
    • memory/280-12-0x0000000007770000-0x0000000007783000-memory.dmp
      Filesize

      76KB

    • memory/280-11-0x000000000A5F0000-0x000000000A622000-memory.dmp
      Filesize

      200KB

    • memory/968-14-0x0000000000000000-mapping.dmp
    • memory/1120-3-0x00000000054F0000-0x0000000005513000-memory.dmp
      Filesize

      140KB

    • memory/1120-4-0x0000000006AE0000-0x0000000006AE8000-memory.dmp
      Filesize

      32KB

    • memory/1120-2-0x0000000000000000-mapping.dmp
    • memory/1632-0-0x0000000000000000-mapping.dmp
    • memory/1760-5-0x0000000000000000-mapping.dmp
    • memory/1992-1-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp
      Filesize

      2.5MB