Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-01-2021 22:49
General
-
Target
plaukbp.dll
-
Size
704KB
-
MD5
f349a2c12a3114f0e60aae0f48d704d9
-
SHA1
560ccc4002e62179709d3493aa12fb2b5110def3
-
SHA256
ee683452d552bcc84964b3fbdfcfebcc281978115aa26a1413ae730a2c5032b1
-
SHA512
0d4d806d81a7e9dd873fd4ab3a03dcb8a191a821aee68aa923cadfabe4776345cdef37135a7c67be609faaed5418519da82ae5d8d91ffe4785d72865aad6734e
Malware Config
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Modifies Internet Explorer settings 1 TTPs 102 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SetWindowsHookEx 16 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\plaukbp.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\plaukbp.dll,#12⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:368 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\ShowOpen.bat" "1⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\ShowOpen.bat" "1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833BMD5
53c9a3b414afa3d2579f625780bfabfe
SHA136ead707d16cb13cfa485235c15eb3c6a34bda2a
SHA2561d00ea6e61a6584d95f4f0c9e0869ae9a8762906215bcb85b7d21ae1f0d7ce5c
SHA512d6300e42bbf3c90a23cf5bd841611d461e74e560ac71e8c6b66bcef35b8c106d999f6f3a2581b06180e9fd4cc7d535382db0452cf740f7e7b3c6431f5c95bce7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\72BA427A91F50409B9EAC87F2B59B951_771D63D2BF22FBD3F874CC100340041CMD5
8b5a1841ec6a9b3ded29272bc5e88a4c
SHA1c5ce8fee863f1f0939014c34656ca6751b5b5378
SHA25694bb3e6699a35698af435a9bd6b83cc45b48e241f9eac6686a4f8894e7d72d35
SHA51255d0b79658ad7b123420f119dbf58469155da953f160073693fe748ea3055399d26d7a199a3295a35a874e24ec1d3f5d004cbd0d19903cb156b12fcc63ea993d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
c43e431188a6098785796519a63357a1
SHA1f8bb4e730bf99faddef1aab46351bdfc23a4aef4
SHA256063098ca176d8cac0513b5ba709eaaaa98cbc58f29fb8f6144ba140ae9feaaaa
SHA51252ea487d8ba6354a397205a8aa2a2d0f2ff946d5abd16988a99573daa758f9fa731894d0d52d22ebfad6ec59c33309d46a2b98424f450468b181856b97a85f60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357MD5
a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833BMD5
1122ce216ce193430b3f279302b1da8a
SHA10bba6efa748eab45d54890e596a65d04072946df
SHA25659908d101f30f5edc342c33c34e31eda7a48d0e1e663b5f9b40019fa4301e8fe
SHA512f92b71b50f2b8e4d3f58e08afc3ca0b3bbc2872de283e6d00bfceb70d2887f5e8af62a0a2ac78d6e5fc6d847b14a091e17d719b1fba98a6a2ffb874f6c072eb9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\72BA427A91F50409B9EAC87F2B59B951_771D63D2BF22FBD3F874CC100340041CMD5
1b19bc83c382d11baed20ff3ae53d26b
SHA15b68b8b3adcab812513dd1583b71d98d8c9b70bd
SHA2560bcf43b2a3e902254a1ed0285a43226af1c23f2dcbfa4117907286d525b54920
SHA5126a02ec7a816b89dba2110c2d35055d56e78e2699507cda5baab080e90a4cb32f229289443f8e6cc351fe2c42b454c480774623c78ec8e52ebf3b698a1ca5147a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
214c245fc67478aecee0ed81dc12dcef
SHA18393b08ea08d8cd0c91c88f315299fbee9e95b0f
SHA2565082e6cd7bb7811e8ea6dd3033b2d7facef1b3d742422c0979c5bee6a2344f79
SHA5124daabd1acb939aba96fb8e7dce4f96de408a80f90a655de426a4edc6d9e98bd5b089aa4291138e55db7ed8b3a10c6bd1b0596947d9d9d598c64c7764c7e68f9a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
f674170a1847a4703c8e7050b83649e4
SHA163811e2ad22a4764e3e5160697bbd834ea2b6a82
SHA256169aa903568cccf50b582c09b6db20f2af74b7e7e77b6b72204f546a6b95f59e
SHA5129ac5aed084284370a4b705f5b42c9d3e2f8dae1ea6f33e1468bd3469f3785c5f8fd07e21e77231a1cf08a1860b9d97010b198a74a1972ea4d7fb7aa3829aab0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
02781e50afe8779efe2e76fc64be8c57
SHA1469203cf4be179a2a7122cdb3df1a5e6ba0ce8d7
SHA256e4da664eeacf081bbffc222ba32c5dbf69cc8ec436a6394676ea8d0246d87c7f
SHA5124cf99c666db2fb1236ece26644c400e6f29016dcb9fb6e1c50e30f0672c4a210fed0b5fd265aba95ceca5cb489fd2eb51c2df719e5f44b11c54a825ba0aeb857
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357MD5
ed7ecd851b6d0108234431b5d2e32387
SHA1ae01e81c47867dd7b2342e0b45096bf462a85bd8
SHA25654e56d7123dd7fd2a5507ac526281a2e36eb4659be719a44b1656e2677445f03
SHA5120b7fc2295cccf010a57e1549ce51e711994ce89907716b9d8844c28115df81df0f898cb12da7a4a5f3a61877ae2d5bf8800b499de682f211fba34ab1048bf97c
-
memory/108-6-0x0000000000000000-mapping.dmp
-
memory/340-15-0x0000000000000000-mapping.dmp
-
memory/980-14-0x0000000000000000-mapping.dmp
-
memory/1004-4-0x000007FEF7DF0000-0x000007FEF806A000-memory.dmpFilesize
2.5MB
-
memory/1056-5-0x0000000000000000-mapping.dmp
-
memory/1780-2-0x0000000000000000-mapping.dmp
-
memory/1780-3-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB