Analysis
-
max time kernel
18s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-02-2021 15:14
Static task
static1
Behavioral task
behavioral1
Sample
yytr.png.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
yytr.png.dll
-
Size
463KB
-
MD5
ba2befa9c70c2b6d779c48a59cece3e5
-
SHA1
4c855f80076e357d35c7d60cd52d2c49abefc5ff
-
SHA256
9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb
-
SHA512
bdc4e33de9de4cf27d1df05e22163c6a3ef0d2406d80cb51db34139bf08cc3a923b079686fbc0a1b359ee46447eb0583c3343360d7e755179e9661c4a503047e
Malware Config
Extracted
Family
gozi_ifsb
Botnet
3131
C2
c.s-microsoft.com
firebaseremoteconfig.googleapis.com
pronpepsipirpyamvioerd.com
80.208.230.180
Attributes
-
build
250177
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
dns_servers
107.174.86.134
107.175.127.22
-
exe_type
loader
-
server_id
12
rsa_pubkey.base64
serpent.plain
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4272 4788 WerFault.exe 23 -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe 4272 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 4272 WerFault.exe Token: SeBackupPrivilege 4272 WerFault.exe Token: SeDebugPrivilege 4272 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4764 wrote to memory of 4788 4764 rundll32.exe 23 PID 4764 wrote to memory of 4788 4764 rundll32.exe 23 PID 4764 wrote to memory of 4788 4764 rundll32.exe 23
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\yytr.png.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\yytr.png.dll,#12⤵PID:4788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 7323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-