Analysis
-
max time kernel
445s -
max time network
376s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-02-2021 13:55
Static task
static1
Behavioral task
behavioral1
Sample
32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll
-
Size
539KB
-
MD5
d31c0491f522d6b9f2102109bd2420af
-
SHA1
dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708
-
SHA256
f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
-
SHA512
48d659660654800da4eb3909a06572dfcf5f05ebdfb8629fafdfeab601673e3377d9a3a241f4bd36c3f4f912ac838dbc73926f734bfa8a76ec43fa726b28c3bd
Malware Config
Extracted
Family
gozi_rm3
Botnet
201193207
C2
https://topitophug.xyz
Attributes
-
build
300932
-
exe_type
loader
-
non_target_locale
RU
-
server_id
12
-
url_path
index.htm
rsa_pubkey.base64
serpent.plain
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 3700 4776 WerFault.exe 33 -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe 3700 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 3700 WerFault.exe Token: SeBackupPrivilege 3700 WerFault.exe Token: SeDebugPrivilege 3700 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4760 wrote to memory of 4776 4760 rundll32.exe 33 PID 4760 wrote to memory of 4776 4760 rundll32.exe 33 PID 4760 wrote to memory of 4776 4760 rundll32.exe 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll,#12⤵PID:4776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 7243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-