Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-03-2021 11:59
Static task
static1
Behavioral task
behavioral1
Sample
33.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
33.dll
-
Size
170KB
-
MD5
b70bb01648a76dd8545fd12ec53b9ce7
-
SHA1
78a6919ffa9a86d8e85f248ce6435754b4d6f60b
-
SHA256
4713834ea4f17e583ce824f4c2ee391cafac251d6f0d64a5234b417ac593094b
-
SHA512
fe6eb27d690d3d2bd9771408588c34d6287514d6247e034e9f009ecef8f1bc41cb76ed9a42d8ab3b57cb3cfa1ec24a501b5532b27c5eba55369ed2e0dc1389e3
Malware Config
Extracted
Family
gozi_ifsb
Botnet
3300
C2
api10.laptok.at/api1
golang.feel500.at/api1
go.in100k.at/api1
Attributes
-
build
250180
-
exe_type
loader
-
server_id
730
rsa_pubkey.base64
serpent.plain
Signatures
-
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DAF55B73-8197-11EB-BEBD-7203859AD7E4} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4288 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4288 iexplore.exe 4288 iexplore.exe 2092 IEXPLORE.EXE 2092 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeiexplore.exedescription pid process target process PID 4688 wrote to memory of 4796 4688 regsvr32.exe regsvr32.exe PID 4688 wrote to memory of 4796 4688 regsvr32.exe regsvr32.exe PID 4688 wrote to memory of 4796 4688 regsvr32.exe regsvr32.exe PID 4288 wrote to memory of 2092 4288 iexplore.exe IEXPLORE.EXE PID 4288 wrote to memory of 2092 4288 iexplore.exe IEXPLORE.EXE PID 4288 wrote to memory of 2092 4288 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\33.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\33.dll2⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4288 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx