Analysis
-
max time kernel
25s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 22:00
General
-
Target
cfd755636879572affa82b2003d7f1cf4eb4eff3a3e600b811f418bf8ba9e657.exe
-
Size
908KB
-
MD5
ab4213c5cd85873ca14ecd8e4b600bf7
-
SHA1
59eedb60d448d350db8f3eea38ef751d290ec1d1
-
SHA256
cfd755636879572affa82b2003d7f1cf4eb4eff3a3e600b811f418bf8ba9e657
-
SHA512
4913f59e79f540c45ff5dd8e06d0c0fd129ff9a82aed33308ab818d8947bec45a934f43da8cf6057125ad368b3ee49d5c74eebb418b581619533151d3c394736
Score
10/10
Malware Config
Extracted
Family
gozi_rm3
Attributes
-
build
300854
-
exe_type
loader
Extracted
Family
gozi_rm3
Botnet
202004141
C2
https://devicelease.xyz
Attributes
-
build
300854
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
loader
-
server_id
12
-
url_path
index.htm
rsa_pubkey.plain
serpent.plain
Signatures
-
Gozi RM3
A heavily modified version of Gozi using RM3 loader.
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfd755636879572affa82b2003d7f1cf4eb4eff3a3e600b811f418bf8ba9e657.exe"C:\Users\Admin\AppData\Local\Temp\cfd755636879572affa82b2003d7f1cf4eb4eff3a3e600b811f418bf8ba9e657.exe"1⤵
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1632 CREDAT:82950 /prefetch:22⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4764 CREDAT:17410 /prefetch:22⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1300 CREDAT:17410 /prefetch:22⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:17410 /prefetch:22⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4260 CREDAT:17410 /prefetch:22⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3400-130-0x0000000000580000-0x0000000000591000-memory.dmpFilesize
68KB
-
memory/3400-137-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/3400-136-0x0000000000560000-0x000000000056C000-memory.dmpFilesize
48KB