Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-05-2021 14:13
Static task
static1
Behavioral task
behavioral1
Sample
9fcf3ab8703045032737668793f5563b.dll
Resource
win7v20210408
0 signatures
0 seconds
General
-
Target
9fcf3ab8703045032737668793f5563b.dll
-
Size
937KB
-
MD5
9fcf3ab8703045032737668793f5563b
-
SHA1
8d4db3886f332122eb430b04419d0befd0833107
-
SHA256
dff28a4e03d3df0f6a7d39a77dd7d6243bdc9117b0b0da3b280447184856f4df
-
SHA512
309cda81815d9c70555b978a4ba65e751f51df8b72f4352b9de37f20be55769321c34693f6c52598cae4cc8477ed6c07bd66ef030fa78202cbe19279416b3953
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D43AE50B-BBD0-11EB-A11C-F29CEA8FB389} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 3888 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 3888 iexplore.exe 3888 iexplore.exe 200 IEXPLORE.EXE 200 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
rundll32.exerundll32.exeiexplore.exedescription pid process target process PID 3172 wrote to memory of 748 3172 rundll32.exe rundll32.exe PID 3172 wrote to memory of 748 3172 rundll32.exe rundll32.exe PID 3172 wrote to memory of 748 3172 rundll32.exe rundll32.exe PID 748 wrote to memory of 188 748 rundll32.exe cmd.exe PID 748 wrote to memory of 188 748 rundll32.exe cmd.exe PID 748 wrote to memory of 188 748 rundll32.exe cmd.exe PID 748 wrote to memory of 1192 748 rundll32.exe cmd.exe PID 748 wrote to memory of 1192 748 rundll32.exe cmd.exe PID 748 wrote to memory of 1192 748 rundll32.exe cmd.exe PID 3888 wrote to memory of 200 3888 iexplore.exe IEXPLORE.EXE PID 3888 wrote to memory of 200 3888 iexplore.exe IEXPLORE.EXE PID 3888 wrote to memory of 200 3888 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fcf3ab8703045032737668793f5563b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fcf3ab8703045032737668793f5563b.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3888 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/188-115-0x0000000000000000-mapping.dmp
-
memory/200-122-0x0000000000000000-mapping.dmp
-
memory/748-114-0x0000000000000000-mapping.dmp
-
memory/748-117-0x0000000073B10000-0x0000000073B1E000-memory.dmpFilesize
56KB
-
memory/748-118-0x0000000073B10000-0x0000000073C14000-memory.dmpFilesize
1.0MB
-
memory/748-119-0x0000000000950000-0x0000000000A9A000-memory.dmpFilesize
1.3MB
-
memory/1192-116-0x0000000000000000-mapping.dmp
-
memory/3888-121-0x00007FFD69AA0000-0x00007FFD69B0B000-memory.dmpFilesize
428KB