Analysis
-
max time kernel
27s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 15:31
Static task
static1
Behavioral task
behavioral1
Sample
18d613d02eaf8d339feebb21f578f329.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
18d613d02eaf8d339feebb21f578f329.dll
-
Size
511KB
-
MD5
18d613d02eaf8d339feebb21f578f329
-
SHA1
01ea39853139ccfe82f0bd19f8963d3ccebf8e8a
-
SHA256
bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
-
SHA512
a432ca4267f56530945e2dd352e658d72b3fc84101b84dcd86bc0adcf42e218e394556d6b69cec92cb30a960ce83586e8c026e971f02fa5154d100a198f1e4ce
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8877
C2
outlook.com/login
gmail.com
dorelunonu.us
morelunonu.us
Attributes
-
build
250195
-
dga_season
10
-
exe_type
loader
-
server_id
12
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4060 wrote to memory of 3700 4060 rundll32.exe rundll32.exe PID 4060 wrote to memory of 3700 4060 rundll32.exe rundll32.exe PID 4060 wrote to memory of 3700 4060 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\18d613d02eaf8d339feebb21f578f329.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\18d613d02eaf8d339feebb21f578f329.dll,#12⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3700-114-0x0000000000000000-mapping.dmp
-
memory/3700-115-0x0000000073D70000-0x0000000073D7F000-memory.dmpFilesize
60KB
-
memory/3700-116-0x0000000073D70000-0x0000000073F05000-memory.dmpFilesize
1.6MB
-
memory/3700-117-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB