Analysis
-
max time kernel
4294206s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
19/03/2022, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239.dll
Resource
win7-20220311-en
0 signatures
0 seconds
General
-
Target
7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239.dll
-
Size
148KB
-
MD5
c29a1f7211c26f5d426f659f6a89aadd
-
SHA1
dbd953210cdf7fdfb6fab6012a842aeb40f622a5
-
SHA256
7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239
-
SHA512
6c3a6180ca9c165c41b7ad76be99cfc05bceda4f49f467c15d8194a37dcb2871394fd2cb108356e23057263557b33a8d45eec1b55fce7c145db664660a9d6e0b
Malware Config
Extracted
Family
gozi_ifsb
Botnet
7244
C2
web.vortex.data.microsoft.com
ocsp.sca1b.amazontrust.com
gstatici.com
Attributes
-
build
250167
-
dns_servers
107.174.86.134
107.175.127.22
-
exe_type
loader
-
server_id
12
rsa_pubkey.plain
serpent.plain
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6991E841-A82C-11EC-AAE0-5ECE7ED1C3DF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d29925393cd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000295542c58d6858cea55f0702a27109a5c7f3e545be5c46c4bfa64c82b2a132c6000000000e80000000020000200000001990f6191c6cb68ec2b6b4472eb8bbef80abecf8ba38f4ed7a0844a34194cc6c200000003864dd430ae294209d6a25186fa4616adc7203a7f37f00d09133fc8dbebc921b40000000a40b374fad1dab3a7ae2ca807250b77b52a51c5e28d94464d790b4773fa27f2fa7687f04e699636576d30dce75e6d50f24bd14343269eb7f5e68af7cbe38317f iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d8f8b5d2fcdd154fb512d53e64640bcc00000000020000000000106600000001000020000000c4c4f561c46ed2dd77b8ab1277afd541bbadc94e85b3371ddbdd3374650a075d000000000e80000000020000200000005f4d797955b01e1ef63fe478b8b7c35dc336906203df36e99ec6c733c42db67d900000001fa55d78c49a76e9a1a1f54238a2c29cb189e538275cd36a316d37af3c0e1a526dd3dc87b113309cb575c5746183a469d39760d61bdcfd863fd4b399b332b5003a4abbcff9d76377127d64f0fb3324fa464e3418cada9e2171579fba70cc53225b05bcf6370551096aa70a600acb8d6b79c6d1b02598293a7edba632e01fc67019297b52942657b1becf6802bb64aadb40000000090dd7b9e5cd40bb38dbe5da7c135ae7ae730f5bd7d80c2a42397d3fed31ab52143e8c3f51bdd9cf0f1b2d13ffa172f8800144f01a46fdabc97ec6c7d0743bc5 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{791B81E1-A82C-11EC-AAE0-5ECE7ED1C3DF} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34838281-A82C-11EC-AAE0-5ECE7ED1C3DF} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "354531810" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 544 iexplore.exe 908 iexplore.exe 2000 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 544 iexplore.exe 544 iexplore.exe 1320 IEXPLORE.EXE 1320 IEXPLORE.EXE 908 iexplore.exe 908 iexplore.exe 1620 IEXPLORE.EXE 1620 IEXPLORE.EXE 2000 iexplore.exe 2000 iexplore.exe 968 IEXPLORE.EXE 968 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 656 wrote to memory of 1996 656 regsvr32.exe 28 PID 656 wrote to memory of 1996 656 regsvr32.exe 28 PID 656 wrote to memory of 1996 656 regsvr32.exe 28 PID 656 wrote to memory of 1996 656 regsvr32.exe 28 PID 656 wrote to memory of 1996 656 regsvr32.exe 28 PID 656 wrote to memory of 1996 656 regsvr32.exe 28 PID 656 wrote to memory of 1996 656 regsvr32.exe 28 PID 544 wrote to memory of 1320 544 iexplore.exe 33 PID 544 wrote to memory of 1320 544 iexplore.exe 33 PID 544 wrote to memory of 1320 544 iexplore.exe 33 PID 544 wrote to memory of 1320 544 iexplore.exe 33 PID 908 wrote to memory of 1620 908 iexplore.exe 36 PID 908 wrote to memory of 1620 908 iexplore.exe 36 PID 908 wrote to memory of 1620 908 iexplore.exe 36 PID 908 wrote to memory of 1620 908 iexplore.exe 36 PID 2000 wrote to memory of 968 2000 iexplore.exe 39 PID 2000 wrote to memory of 968 2000 iexplore.exe 39 PID 2000 wrote to memory of 968 2000 iexplore.exe 39 PID 2000 wrote to memory of 968 2000 iexplore.exe 39
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239.dll1⤵
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239.dll2⤵PID:1996
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:544 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1320
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:908 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2000 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:968
-