Analysis
-
max time kernel
70s -
max time network
39s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-07-2021 14:48
Static task
static1
Behavioral task
behavioral1
Sample
d1a1d73e134edf8accffaa2779fa637b448b762a9bad81c3093fda115ed189e1.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d1a1d73e134edf8accffaa2779fa637b448b762a9bad81c3093fda115ed189e1.dll
Resource
win10v20210410
General
-
Target
d1a1d73e134edf8accffaa2779fa637b448b762a9bad81c3093fda115ed189e1.dll
-
Size
937KB
-
MD5
492076d2d0e123d67a38e65ad5aaee6a
-
SHA1
e9abf822ac6c9ebe34ed7c724122a53703d1d6a4
-
SHA256
d1a1d73e134edf8accffaa2779fa637b448b762a9bad81c3093fda115ed189e1
-
SHA512
a99c4bca46e64f4f92ab9bb159e15294a1562b5df8c964091e07589db8725bf4a67227b694bc918badb5d964cd954cb15ae717713173088cfe622ea03837792f
Malware Config
Extracted
gozi_ifsb
4500
app3.maintorna.com
chat.billionady.com
app5.folion.xyz
wer.defone.click
-
build
250188
-
exe_type
loader
-
server_id
580
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1724 wrote to memory of 1252 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1252 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1252 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1252 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1252 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1252 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1252 1724 rundll32.exe rundll32.exe PID 1252 wrote to memory of 1368 1252 rundll32.exe cmd.exe PID 1252 wrote to memory of 1368 1252 rundll32.exe cmd.exe PID 1252 wrote to memory of 1368 1252 rundll32.exe cmd.exe PID 1252 wrote to memory of 1368 1252 rundll32.exe cmd.exe PID 1252 wrote to memory of 1424 1252 rundll32.exe cmd.exe PID 1252 wrote to memory of 1424 1252 rundll32.exe cmd.exe PID 1252 wrote to memory of 1424 1252 rundll32.exe cmd.exe PID 1252 wrote to memory of 1424 1252 rundll32.exe cmd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1a1d73e134edf8accffaa2779fa637b448b762a9bad81c3093fda115ed189e1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1a1d73e134edf8accffaa2779fa637b448b762a9bad81c3093fda115ed189e1.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Island3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd Matter m3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1252-60-0x0000000000000000-mapping.dmp
-
memory/1252-61-0x0000000075161000-0x0000000075163000-memory.dmpFilesize
8KB
-
memory/1252-65-0x0000000074450000-0x0000000074554000-memory.dmpFilesize
1.0MB
-
memory/1252-64-0x0000000074450000-0x000000007445E000-memory.dmpFilesize
56KB
-
memory/1252-66-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/1368-62-0x0000000000000000-mapping.dmp
-
memory/1424-63-0x0000000000000000-mapping.dmp