Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-07-2021 14:50
Static task
static1
Behavioral task
behavioral1
Sample
3b17.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
3b17.dll
-
Size
607KB
-
MD5
3b17fcc55cee8cbe4cd1b443f358c36d
-
SHA1
45d1e652f282a94b37ac32afb62ff563afb2fb39
-
SHA256
9ae13bdb906bf774982242a378a20fb25da3e29dd7b5e1acd2531562319edba6
-
SHA512
6b299214396c3ea94d01f7211ffed949f4e615c12586d2191b633c12f6d7d2881c01bc2d1b360bf05d15b58c604104e222d7f33297e63c067144de4bf2c5c337
Malware Config
Extracted
Family
gozi_ifsb
Botnet
6000
C2
gtr.antoinfer.com
app.bighomegl.at
Attributes
-
build
250204
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E6EEB3D9-DDB0-11EB-B2DB-DAB5BEA07F06} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2284 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2284 iexplore.exe 2284 iexplore.exe 3684 IEXPLORE.EXE 3684 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exeiexplore.exedescription pid process target process PID 808 wrote to memory of 1180 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1180 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1180 808 rundll32.exe rundll32.exe PID 2284 wrote to memory of 3684 2284 iexplore.exe IEXPLORE.EXE PID 2284 wrote to memory of 3684 2284 iexplore.exe IEXPLORE.EXE PID 2284 wrote to memory of 3684 2284 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b17.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b17.dll,#12⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1180-114-0x0000000000000000-mapping.dmp
-
memory/1180-116-0x00000000737F0000-0x0000000073920000-memory.dmpFilesize
1.2MB
-
memory/1180-115-0x00000000737F0000-0x00000000737FD000-memory.dmpFilesize
52KB
-
memory/1180-117-0x00000000032F0000-0x000000000343A000-memory.dmpFilesize
1.3MB
-
memory/2284-118-0x00007FFA108A0000-0x00007FFA1090B000-memory.dmpFilesize
428KB
-
memory/3684-119-0x0000000000000000-mapping.dmp