Analysis
-
max time kernel
167s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 00:40
Static task
static1
Behavioral task
behavioral1
Sample
urban.dll
Resource
win7-en-20211208
0 signatures
0 seconds
General
-
Target
urban.dll
-
Size
405KB
-
MD5
8f6c878f21174f803a7879a4aee87b34
-
SHA1
9f3bff82262133c9325bdebd282b71b58695906e
-
SHA256
86b670d81a26ea394f7c0edebdc93e8f9bd6ce6e0a8d650e32a0fe36c93f0dee
-
SHA512
8253513edf2e6f5b4890400aea147fea6f9467a2495f68ea2296e73a41fafbd635d6455336ab1a5a4e31a8059b75ad835aa17c9ba7f1fbbb416a4cc672f1f3d0
Malware Config
Extracted
Family
gozi_ifsb
Botnet
1100
C2
api10.laptok.at/api1
golang.feel500.at/api1
go.in100k.at/api1
Attributes
-
build
250180
-
exe_type
loader
-
server_id
730
rsa_pubkey.plain
serpent.plain
Signatures
-
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 1536 svchost.exe Token: SeCreatePagefilePrivilege 1536 svchost.exe Token: SeShutdownPrivilege 1536 svchost.exe Token: SeCreatePagefilePrivilege 1536 svchost.exe Token: SeShutdownPrivilege 1536 svchost.exe Token: SeCreatePagefilePrivilege 1536 svchost.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe Token: SeRestorePrivilege 1636 TiWorker.exe Token: SeSecurityPrivilege 1636 TiWorker.exe Token: SeBackupPrivilege 1636 TiWorker.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3632 wrote to memory of 1504 3632 rundll32.exe rundll32.exe PID 3632 wrote to memory of 1504 3632 rundll32.exe rundll32.exe PID 3632 wrote to memory of 1504 3632 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\urban.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\urban.dll,#12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-138-0x0000000075830000-0x00000000758F0000-memory.dmpFilesize
768KB
-
memory/1504-139-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/1504-141-0x0000000075830000-0x00000000758F0000-memory.dmpFilesize
768KB
-
memory/1504-140-0x0000000075830000-0x000000007583F000-memory.dmpFilesize
60KB
-
memory/1536-130-0x00000146B0390000-0x00000146B03A0000-memory.dmpFilesize
64KB
-
memory/1536-137-0x00000146B3110000-0x00000146B3114000-memory.dmpFilesize
16KB