Analysis
-
max time kernel
138s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-12-2020 01:52
General
-
Target
gye1.cab.dll
-
Size
632KB
-
MD5
e78b3e5f216b0fc21a528a1a4de83a39
-
SHA1
91d536c3667177f95b1713b563d54a1437bf27d5
-
SHA256
4eed17645ed997121a95459508067a23459d1e36f43d50f672f198e9d117cc2c
-
SHA512
b56548d765c9f0fcc0f65b4f283b406ce8b4f70c8b6b3a0845299075b8bc7ae1b60032cd7fb40f69ba855767e3304904c8ce413bbdb4cc4773df439256deadeb
Malware Config
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
ServiceHost packer 2 IoCs
Detects ServiceHost packer used for .NET malware
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\gye1.cab.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\gye1.cab.dll3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\534C.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\534C.bi1"2⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\534C.bi1MD5
67a173408db29be821b9fe2421000340
SHA171faba974dc8fbbb67fa955142c30fbe0cd149a4
SHA256b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8
SHA512e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671
-
C:\Users\Admin\AppData\Local\Temp\534C.bi1MD5
67a173408db29be821b9fe2421000340
SHA171faba974dc8fbbb67fa955142c30fbe0cd149a4
SHA256b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8
SHA512e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671
-
C:\Users\Admin\AppData\Roaming\Microsoft\AuthgLib\accerLib.dllMD5
e78b3e5f216b0fc21a528a1a4de83a39
SHA191d536c3667177f95b1713b563d54a1437bf27d5
SHA2564eed17645ed997121a95459508067a23459d1e36f43d50f672f198e9d117cc2c
SHA512b56548d765c9f0fcc0f65b4f283b406ce8b4f70c8b6b3a0845299075b8bc7ae1b60032cd7fb40f69ba855767e3304904c8ce413bbdb4cc4773df439256deadeb
-
memory/1052-3-0x0000000000C50000-0x0000000000C9A000-memory.dmpFilesize
296KB
-
memory/1052-2-0x0000000000000000-mapping.dmp
-
memory/1052-5-0x0000000004900000-0x00000000049B3000-memory.dmpFilesize
716KB
-
memory/1404-16-0x0000000000000000-mapping.dmp
-
memory/2180-14-0x0000000000000000-mapping.dmp
-
memory/2536-21-0x0000003648E01000-mapping.dmp
-
memory/2536-19-0x0000000000000000-mapping.dmp
-
memory/2828-20-0x0000000005790000-0x0000000005843000-memory.dmpFilesize
716KB
-
memory/2828-11-0x0000000005790000-0x0000000005843000-memory.dmpFilesize
716KB
-
memory/2828-25-0x0000000003450000-0x00000000034F5000-memory.dmpFilesize
660KB
-
memory/2940-6-0x000000869D1F9000-mapping.dmp
-
memory/2940-12-0x00000222E4EF0000-0x00000222E4FA3000-memory.dmpFilesize
716KB
-
memory/2940-7-0x00000222E2C90000-0x00000222E2D43000-memory.dmpFilesize
716KB
-
memory/2940-4-0x0000000000000000-mapping.dmp
-
memory/3124-10-0x0000000000000000-mapping.dmp
-
memory/3124-13-0x000000EF89A14000-mapping.dmp
-
memory/3908-15-0x0000000000000000-mapping.dmp
-
memory/3924-22-0x0000000000000000-mapping.dmp
-
memory/3924-23-0x0000000000000000-mapping.dmp
-
memory/3924-24-0x0000000000BB6CD0-0x0000000000BB6CD4-memory.dmpFilesize
4B
-
memory/3924-26-0x0000000000BB6CD0-mapping.dmp