Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20/03/2022, 03:17

General

  • Target

    36549e3696fab16e1fb88e4f6bb076f8a4d07ace292396d727685b24c90920f4.dll

  • Size

    308KB

  • MD5

    5b2922162ea8506d525357c3d04bfe20

  • SHA1

    e9209d1fb4331f916feae3f5a64eb6a09ea09e18

  • SHA256

    36549e3696fab16e1fb88e4f6bb076f8a4d07ace292396d727685b24c90920f4

  • SHA512

    eae2d1dedc79d31991b46639f737f0e46425fd4c1d8d899b640341d1cae4dac86f8052ff1d578bab76bba8fba5cc3678d58205fd5fa59870a30dc9445aa57d66

Score
10/10

Malware Config

Extracted

Family

gozi_ifsb

Attributes
  • build

    250167

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Modifies Internet Explorer settings 1 TTPs 61 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\36549e3696fab16e1fb88e4f6bb076f8a4d07ace292396d727685b24c90920f4.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\36549e3696fab16e1fb88e4f6bb076f8a4d07ace292396d727685b24c90920f4.dll,#1
      2⤵
        PID:1540
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:3308
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3208 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4032
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3568
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3568 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4292
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4124

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1540-130-0x0000000000870000-0x000000000087C000-memory.dmp

              Filesize

              48KB

            • memory/1540-131-0x0000000010000000-0x000000001004E000-memory.dmp

              Filesize

              312KB