Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-12-2021 15:41
Static task
static1
Behavioral task
behavioral1
Sample
ea96ae41f6dec70ce9f72ae9ef783c52.exe.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
ea96ae41f6dec70ce9f72ae9ef783c52.exe.dll
-
Size
1.7MB
-
MD5
ea96ae41f6dec70ce9f72ae9ef783c52
-
SHA1
a8782fb8f277df06c3d18aa3ed1eee9280bd096e
-
SHA256
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e
-
SHA512
fb1b90b36da6899c91212c6be582564c496f9fd10443235d7a1da736486f21de7495d30d9eaff4a90465aca7f282602f55cabd1d36c8678115062f2652c549ee
Malware Config
Extracted
Family
gozi_ifsb
Botnet
8899
C2
microsoft.com/windowsdisabler
windows.update3.com
berukoneru.website
gerukoneru.website
fortunarah.com
Attributes
-
base_path
/tire/
-
build
260222
-
dga_season
10
-
exe_type
loader
-
extension
.eta
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1756 wrote to memory of 1504 1756 regsvr32.exe regsvr32.exe PID 1756 wrote to memory of 1504 1756 regsvr32.exe regsvr32.exe PID 1756 wrote to memory of 1504 1756 regsvr32.exe regsvr32.exe PID 1756 wrote to memory of 1504 1756 regsvr32.exe regsvr32.exe PID 1756 wrote to memory of 1504 1756 regsvr32.exe regsvr32.exe PID 1756 wrote to memory of 1504 1756 regsvr32.exe regsvr32.exe PID 1756 wrote to memory of 1504 1756 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ea96ae41f6dec70ce9f72ae9ef783c52.exe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\ea96ae41f6dec70ce9f72ae9ef783c52.exe.dll2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-55-0x0000000000000000-mapping.dmp
-
memory/1504-56-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB
-
memory/1504-57-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1504-58-0x0000000010000000-0x00000000101BF000-memory.dmpFilesize
1.7MB
-
memory/1756-54-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmpFilesize
8KB