Analysis

  • max time kernel
    131s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19/03/2022, 21:57

General

  • Target

    7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239.dll

  • Size

    148KB

  • MD5

    c29a1f7211c26f5d426f659f6a89aadd

  • SHA1

    dbd953210cdf7fdfb6fab6012a842aeb40f622a5

  • SHA256

    7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239

  • SHA512

    6c3a6180ca9c165c41b7ad76be99cfc05bceda4f49f467c15d8194a37dcb2871394fd2cb108356e23057263557b33a8d45eec1b55fce7c145db664660a9d6e0b

Malware Config

Extracted

Family

gozi_ifsb

Botnet

7244

C2

web.vortex.data.microsoft.com

ocsp.sca1b.amazontrust.com

gstatici.com

Attributes
  • build

    250167

  • dns_servers

    107.174.86.134

    107.175.127.22

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

    suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:488
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\7e01b1eaa1318961ff0e0c10d45512a8d569948aa174f345f09cd8f3703ff239.dll
      2⤵
        PID:1216
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:3076
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4752
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4752 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:480
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:220
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:17410 /prefetch:2
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:4724
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer Phishing Filter
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4120

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1216-130-0x0000000000400000-0x000000000046C000-memory.dmp

              Filesize

              432KB

            • memory/1216-131-0x00000000016B0000-0x00000000016B1000-memory.dmp

              Filesize

              4KB