Analysis
-
max time kernel
573s -
max time network
561s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-02-2021 13:55
General
-
Target
32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll
-
Size
539KB
-
MD5
d31c0491f522d6b9f2102109bd2420af
-
SHA1
dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708
-
SHA256
f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
-
SHA512
48d659660654800da4eb3909a06572dfcf5f05ebdfb8629fafdfeab601673e3377d9a3a241f4bd36c3f4f912ac838dbc73926f734bfa8a76ec43fa726b28c3bd
Score
10/10
Malware Config
Extracted
Family
gozi_rm3
Botnet
201193207
C2
https://topitophug.xyz
Attributes
-
build
300932
-
exe_type
loader
-
non_target_locale
RU
-
server_id
12
-
url_path
index.htm
rsa_pubkey.base64
serpent.plain
Signatures
-
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
-
Blocklisted process makes network request 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Suspicious use of FindShellTrayWindow 23 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32b2d32af004b6039b73f4ccd73df2bafe7a0343.dll,#12⤵
- Blocklisted process makes network request
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1196 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1312 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1956 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1768 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:292 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1236 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:908 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:22⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:628 CREDAT:275457 /prefetch:22⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:22⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:275457 /prefetch:22⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:22⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1160 CREDAT:275457 /prefetch:22⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1160 CREDAT:1192975 /prefetch:22⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\61F95D72644321B3AD7A1D512B8D6E8BMD5
9bc7c66842ce55fb615785434a1e4ae2
SHA10841bba8f45cc927201dab1668d7de43c808f3a8
SHA256cdf81a744d87fcc80a9593edceb9103d9eb19ee8023da16b26c17844ffa88eaa
SHA512e85136f1da80428111ce2f626f6e90dff88d11f2de62f461d292104f2807b08ae2c625397d6c889544566c15cd772e1ed45b2fa18d89489140d59b6bb7fc9eba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4MD5
0cb6aff7f00ffdce23877e0fd80f88d5
SHA17cb46bde95f4e57c108100dff3786dc9d6169389
SHA256fb6bd4558196dad5d2767534f435159f7ce7d69f8e0bb21d73af02b8778f5ad0
SHA51204bfc5e5430709750613273778c7fc3a5d9eedc618fc60b6db2a55247c3a30609fbb0758f8923e3a84984ecae4903e68ee165f3c8515b8e922b70dceb9f402b2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357MD5
a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\61F95D72644321B3AD7A1D512B8D6E8BMD5
2052cd3e7ca49ea9032439565ef540f0
SHA1b42b387d5842441ebe4d38fd015cfb449d162665
SHA25611a4a0446e741e0ce520e157649c7b6e1890eac5f747d2caba76e19f1b2cb81b
SHA51229e6aa83a7c0ea2842f18222657308500f494bcce879bcdb0bef63b912f4d83b319050aeb6e43c4f3dbcbdf604f9015ae25f3c13530e25839516e2c2d36b01f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4MD5
20af76ae940966fb0fa04dc44d5fe7f6
SHA119fd23f665fa6619bd28224baaf5d22c6ec5f9a3
SHA25680371e7ddd9479e67984e403c369e5da9b05f678c7fe374763fefff05d3dd770
SHA512f3e7e30c6691460193f0dcb6e7994a2d5271d9479ca241fe1517489c352df04af5d9495ef8e1b57629da4a46a31009ce7406d2b90c8d2f0b42d64db8fe40e9ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
e991738a0ab5abcf3ef4932f8848bde5
SHA150305153012f59692a8c76994a2a89429bf57cd2
SHA2564f1f3997e3e1e53a1a3c0be288476aca445ca58c5a2e4ae4b8aaaa7203d42ad7
SHA512ac44d16d11bbb86281fed2dfd6aa1dbb5d97caec116525be786c54e0ad33c81c5e48640d8d140f04410ee02ce33bddbce9babb61686212bc5bf123702340dec7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357MD5
cde65eb978684d55642a7b61a98ba85c
SHA15d6b5ea2ed2e3a8ffaabc143b08ddc756fc77b74
SHA2569da79b92275011659d4d6cc0ba72ce299c11211fc6f14eae617e3188b4f0d9c6
SHA51223e886b42af0727cf5de446188762e16915a99450f5cbe90d59f4f30426ed7e9fe656b2ffa81756f04ed3276ccdadc54fd25870bd6f67953be4697f73928f56e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TSQTY526.txtMD5
26540c997b6526bbd01950c067dc4e1c
SHA1f5ac96bb2aad57f12ff1878eb8c9cdfd7c7c1296
SHA25693fdcb4ddc8b9e6d58bc5c7029b09989d77ca130b52c1eacf1c413ad19ee1f3b
SHA5122e88306e8afbafc9d89da3ca5890adcbe4549a238a7a55397880be97e4c042e0bcc624b482dd7e998515349d23e4ce1dc6e9d4d1f185c828932891277bbba0e9
-
memory/740-47-0x0000000000000000-mapping.dmp
-
memory/848-45-0x0000000000000000-mapping.dmp
-
memory/1000-20-0x0000000000000000-mapping.dmp
-
memory/1088-8-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmpFilesize
2.5MB
-
memory/1092-41-0x0000000000000000-mapping.dmp
-
memory/1180-33-0x0000000000000000-mapping.dmp
-
memory/1196-25-0x0000000000000000-mapping.dmp
-
memory/1204-60-0x0000000000000000-mapping.dmp
-
memory/1232-34-0x0000000000000000-mapping.dmp
-
memory/1292-53-0x0000000000000000-mapping.dmp
-
memory/1312-19-0x0000000002090000-0x00000000020A0000-memory.dmpFilesize
64KB
-
memory/1312-18-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/1420-58-0x0000000000000000-mapping.dmp
-
memory/1432-49-0x0000000000000000-mapping.dmp
-
memory/1496-42-0x0000000000000000-mapping.dmp
-
memory/1504-11-0x0000000000000000-mapping.dmp
-
memory/1512-9-0x0000000000000000-mapping.dmp
-
memory/1544-26-0x0000000000000000-mapping.dmp
-
memory/1636-30-0x0000000000000000-mapping.dmp
-
memory/1644-55-0x0000000000000000-mapping.dmp
-
memory/1708-39-0x0000000000000000-mapping.dmp
-
memory/1744-38-0x0000000000000000-mapping.dmp
-
memory/1896-48-0x0000000000000000-mapping.dmp
-
memory/1992-37-0x0000000000000000-mapping.dmp
-
memory/2020-28-0x0000000000000000-mapping.dmp
-
memory/2024-6-0x0000000000170000-0x000000000017E000-memory.dmpFilesize
56KB
-
memory/2024-5-0x0000000000340000-0x0000000000352000-memory.dmpFilesize
72KB
-
memory/2024-4-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2024-7-0x00000000001D0000-0x00000000001E0000-memory.dmpFilesize
64KB
-
memory/2024-2-0x0000000000000000-mapping.dmp
-
memory/2024-3-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/2024-10-0x0000000000490000-0x0000000000492000-memory.dmpFilesize
8KB
-
memory/2036-52-0x0000000000000000-mapping.dmp