Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-07-2021 16:21
Static task
static1
Behavioral task
behavioral1
Sample
a58f423a00ca933ae2898803bd1b3a07a2cd76ef1aa0d5de69905d80a096874c.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
a58f423a00ca933ae2898803bd1b3a07a2cd76ef1aa0d5de69905d80a096874c.dll
-
Size
306KB
-
MD5
98d030eeefc3536d68ccb9ae3a2d1502
-
SHA1
9f7d95691e0116f7c0d0f222de2149b073ef6cb6
-
SHA256
a58f423a00ca933ae2898803bd1b3a07a2cd76ef1aa0d5de69905d80a096874c
-
SHA512
bbfbd2525c24a5c0474d001f61edabed1ff05f83fb574eb16790e36298da80d8a56d10f28582340f438a3483d232a4efd19055b687fc773aef25856148c2ba52
Malware Config
Extracted
Family
gozi_ifsb
Botnet
6000
C2
authd.feronok.com
app.bighomegl.at
Attributes
-
build
250204
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D3E5C28-DE76-11EB-A11C-4A85C7F4578F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1172 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1172 iexplore.exe 1172 iexplore.exe 2140 IEXPLORE.EXE 2140 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exeiexplore.exedescription pid process target process PID 1832 wrote to memory of 3764 1832 rundll32.exe rundll32.exe PID 1832 wrote to memory of 3764 1832 rundll32.exe rundll32.exe PID 1832 wrote to memory of 3764 1832 rundll32.exe rundll32.exe PID 1172 wrote to memory of 2140 1172 iexplore.exe IEXPLORE.EXE PID 1172 wrote to memory of 2140 1172 iexplore.exe IEXPLORE.EXE PID 1172 wrote to memory of 2140 1172 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a58f423a00ca933ae2898803bd1b3a07a2cd76ef1aa0d5de69905d80a096874c.dll,#11⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a58f423a00ca933ae2898803bd1b3a07a2cd76ef1aa0d5de69905d80a096874c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1172 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1172-119-0x00007FFCC8390000-0x00007FFCC83FB000-memory.dmpFilesize
428KB
-
memory/2140-120-0x0000000000000000-mapping.dmp
-
memory/3764-114-0x0000000000000000-mapping.dmp
-
memory/3764-115-0x0000000000950000-0x00000000009FE000-memory.dmpFilesize
696KB
-
memory/3764-117-0x0000000074120000-0x000000007420A000-memory.dmpFilesize
936KB
-
memory/3764-116-0x0000000074120000-0x000000007412D000-memory.dmpFilesize
52KB