Analysis
-
max time kernel
133s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 10:15
Static task
static1
Behavioral task
behavioral1
Sample
617683636aa85.tiff.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
617683636aa85.tiff.dll
-
Size
942KB
-
MD5
63bf1fa8174987625e5e43cb0ed13e82
-
SHA1
644b87f4721c0b9b5409d19717dffea20b788081
-
SHA256
42b7c2ea97c98f21d2a5fb271364530115369f9bb08ef03fa57013cc036b6f00
-
SHA512
1ddd98f42cb271bd55f96a2291951ec761f81b8958269e67166c74ff40c3ce65a96c0011c4a024a6b1c54709043ab8cba4b22ddefa435b20696556057c2737f8
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8899
C2
msn.com/mail
realitystorys.com
outlook.com/signup
gderrrpololo.net
Attributes
-
build
260212
-
dga_season
10
-
exe_type
loader
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Blocklisted process makes network request 14 IoCs
Processes:
rundll32.exeflow pid process 28 2856 rundll32.exe 30 2856 rundll32.exe 32 2856 rundll32.exe 33 2856 rundll32.exe 34 2856 rundll32.exe 36 2856 rundll32.exe 38 2856 rundll32.exe 40 2856 rundll32.exe 42 2856 rundll32.exe 44 2856 rundll32.exe 45 2856 rundll32.exe 46 2856 rundll32.exe 47 2856 rundll32.exe 49 2856 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3088 wrote to memory of 2856 3088 rundll32.exe rundll32.exe PID 3088 wrote to memory of 2856 3088 rundll32.exe rundll32.exe PID 3088 wrote to memory of 2856 3088 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\617683636aa85.tiff.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\617683636aa85.tiff.dll,#12⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2856-115-0x0000000000000000-mapping.dmp
-
memory/2856-116-0x0000000073E90000-0x0000000073F94000-memory.dmpFilesize
1.0MB
-
memory/2856-117-0x0000000073E90000-0x0000000073E9F000-memory.dmpFilesize
60KB
-
memory/2856-118-0x0000000073E90000-0x0000000073F94000-memory.dmpFilesize
1.0MB
-
memory/2856-119-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB