Analysis

  • max time kernel
    142s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-02-2022 09:34

General

  • Target

    a4e3b205523d28cb8482729675d70e1cf88d81f0081825fecf86274b07ea1578.dll

  • Size

    42KB

  • MD5

    8228ee6b537209f37b61def0fed70896

  • SHA1

    5eebb557b3597a55d0637b9facc64188ec302b42

  • SHA256

    a4e3b205523d28cb8482729675d70e1cf88d81f0081825fecf86274b07ea1578

  • SHA512

    adcc34a7f5676cabf3708f035c401ee48ba46fe3494036db9e2a74af84b273a260b0cc4f21b38f3ed4a0e849c5116fdaf6dd4a0f1003d028782ef9df343c9a77

Malware Config

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

  • Sets service image path in registry 2 TTPs
  • Drops file in Windows directory 6 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a4e3b205523d28cb8482729675d70e1cf88d81f0081825fecf86274b07ea1578.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\a4e3b205523d28cb8482729675d70e1cf88d81f0081825fecf86274b07ea1578.dll
      2⤵
        PID:1180
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 97f4a054066e3c4b76e875bfe93761be nvpuGvYjIkeXhUYmuHN8yw.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:4596
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1356

    Network

    • flag-us
      DNS
      settings-win.data.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      settings-win.data.microsoft.com
      IN A
      Response
      settings-win.data.microsoft.com
      IN CNAME
      settingsfd-geo.trafficmanager.net
      settingsfd-geo.trafficmanager.net
      IN A
      52.167.17.97
    • 52.167.17.97:443
      settings-win.data.microsoft.com
      tls, https
      2.6kB
      7.9kB
      15
      14
    • 52.167.17.97:443
      settings-win.data.microsoft.com
      tls, https
      2.0kB
      4.4kB
      12
      10
    • 52.167.17.97:443
      settings-win.data.microsoft.com
      tls, https
      1.6kB
      4.4kB
      12
      10
    • 52.167.17.97:443
      settings-win.data.microsoft.com
      tls, https
      1.3kB
      4.4kB
      12
      10
    • 52.167.17.97:443
      settings-win.data.microsoft.com
      tls, https
      1.8kB
      4.4kB
      12
      10
    • 67.24.27.254:80
      322 B
      7
    • 67.24.27.254:80
      322 B
      7
    • 67.24.27.254:80
      46 B
      40 B
      1
      1
    • 67.24.27.254:80
      46 B
      40 B
      1
      1
    • 8.8.8.8:53
      settings-win.data.microsoft.com
      dns
      77 B
      140 B
      1
      1

      DNS Request

      settings-win.data.microsoft.com

      DNS Response

      52.167.17.97

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1180-130-0x00000000003E1000-0x00000000003E3000-memory.dmp

      Filesize

      8KB

    • memory/1356-131-0x000002EC7F330000-0x000002EC7F340000-memory.dmp

      Filesize

      64KB

    • memory/1356-132-0x000002EC7F390000-0x000002EC7F3A0000-memory.dmp

      Filesize

      64KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.