Analysis
-
max time kernel
73s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-05-2021 21:04
Static task
static1
Behavioral task
behavioral1
Sample
d1253fcbf6ae056cff716ff6670c2c11.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
d1253fcbf6ae056cff716ff6670c2c11.dll
-
Size
937KB
-
MD5
d1253fcbf6ae056cff716ff6670c2c11
-
SHA1
68a6945ac7d27651b221ba0ad10b9c3ae8c878f8
-
SHA256
e2e8a185580a5831bd7ddfcbed30cb21965cfb3bd546b4cffd85dc886671aeea
-
SHA512
51264676f733244a4b7896c8ac1da657b1240f705ef08bb796b3044e4cadf50bd793556b27c7a203af3e8326d9d75830a8129f1022f683bb21fa395fc507369e
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 788 wrote to memory of 2012 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 2012 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 2012 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 2012 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 2012 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 2012 788 rundll32.exe rundll32.exe PID 788 wrote to memory of 2012 788 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2044 2012 rundll32.exe cmd.exe PID 2012 wrote to memory of 2044 2012 rundll32.exe cmd.exe PID 2012 wrote to memory of 2044 2012 rundll32.exe cmd.exe PID 2012 wrote to memory of 2044 2012 rundll32.exe cmd.exe PID 2012 wrote to memory of 1968 2012 rundll32.exe cmd.exe PID 2012 wrote to memory of 1968 2012 rundll32.exe cmd.exe PID 2012 wrote to memory of 1968 2012 rundll32.exe cmd.exe PID 2012 wrote to memory of 1968 2012 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1253fcbf6ae056cff716ff6670c2c11.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1253fcbf6ae056cff716ff6670c2c11.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵PID:2044
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵PID:1968
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1968-62-0x0000000000000000-mapping.dmp
-
memory/2012-59-0x0000000000000000-mapping.dmp
-
memory/2012-60-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/2012-64-0x00000000748D0000-0x00000000749D4000-memory.dmpFilesize
1.0MB
-
memory/2012-63-0x00000000748D0000-0x00000000748DE000-memory.dmpFilesize
56KB
-
memory/2012-65-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2044-61-0x0000000000000000-mapping.dmp