Analysis
-
max time kernel
65s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-06-2021 05:56
Static task
static1
Behavioral task
behavioral1
Sample
320192b545d3f45fd588b741c30fb2ec.dll
Resource
win7v20210410
0 signatures
0 seconds
General
-
Target
320192b545d3f45fd588b741c30fb2ec.dll
-
Size
937KB
-
MD5
320192b545d3f45fd588b741c30fb2ec
-
SHA1
807433d7c1f8c7629ebcafd9d2c4e6797c82ce16
-
SHA256
2ee0e0b21737b7f9ecc613be83b7ec84560d0770f794a819afe64f54b0e7743b
-
SHA512
c95b2c2d1f7cdf5950db9bd655965cbacf3b8d383728db3786de404e68f70bec761dc6101ebbf6b0fc0252ec8626a8c5247cce4e5f378c6a63da648364b158c9
Malware Config
Extracted
Family
gozi_ifsb
Botnet
4500
C2
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.base64
serpent.plain
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 856 wrote to memory of 1636 856 rundll32.exe rundll32.exe PID 856 wrote to memory of 1636 856 rundll32.exe rundll32.exe PID 856 wrote to memory of 1636 856 rundll32.exe rundll32.exe PID 1636 wrote to memory of 684 1636 rundll32.exe cmd.exe PID 1636 wrote to memory of 684 1636 rundll32.exe cmd.exe PID 1636 wrote to memory of 684 1636 rundll32.exe cmd.exe PID 1636 wrote to memory of 3952 1636 rundll32.exe cmd.exe PID 1636 wrote to memory of 3952 1636 rundll32.exe cmd.exe PID 1636 wrote to memory of 3952 1636 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\320192b545d3f45fd588b741c30fb2ec.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\320192b545d3f45fd588b741c30fb2ec.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/684-115-0x0000000000000000-mapping.dmp
-
memory/1636-114-0x0000000000000000-mapping.dmp
-
memory/1636-117-0x0000000073470000-0x000000007347E000-memory.dmpFilesize
56KB
-
memory/1636-118-0x0000000073470000-0x0000000073574000-memory.dmpFilesize
1.0MB
-
memory/1636-119-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/3952-116-0x0000000000000000-mapping.dmp