Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-12-2021 15:41
Static task
static1
Behavioral task
behavioral1
Sample
ea96ae41f6dec70ce9f72ae9ef783c52.exe.dll
Resource
win7-en-20211208
General
-
Target
ea96ae41f6dec70ce9f72ae9ef783c52.exe.dll
-
Size
1.7MB
-
MD5
ea96ae41f6dec70ce9f72ae9ef783c52
-
SHA1
a8782fb8f277df06c3d18aa3ed1eee9280bd096e
-
SHA256
aa4d5569f00d3fed84a25b4a1adcf28e55150e01cd5917082fa9569f774b984e
-
SHA512
fb1b90b36da6899c91212c6be582564c496f9fd10443235d7a1da736486f21de7495d30d9eaff4a90465aca7f282602f55cabd1d36c8678115062f2652c549ee
Malware Config
Extracted
gozi_ifsb
8899
microsoft.com/windowsdisabler
windows.update3.com
berukoneru.website
gerukoneru.website
fortunarah.com
-
base_path
/tire/
-
build
260222
-
dga_season
10
-
exe_type
loader
-
extension
.eta
-
server_id
12
Signatures
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1180 wrote to memory of 1448 1180 regsvr32.exe regsvr32.exe PID 1180 wrote to memory of 1448 1180 regsvr32.exe regsvr32.exe PID 1180 wrote to memory of 1448 1180 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\ea96ae41f6dec70ce9f72ae9ef783c52.exe.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\ea96ae41f6dec70ce9f72ae9ef783c52.exe.dll2⤵