Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-06-2022 00:11
Static task
static1
Behavioral task
behavioral1
Sample
11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe
Resource
win7-20220414-en
General
-
Target
11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe
-
Size
308KB
-
MD5
434e2060c3650402e75bfce4b8f6034e
-
SHA1
0afdf4a1eabd95380e045111fb4f76f170e38ee4
-
SHA256
11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845
-
SHA512
e755ddbb3bd122fc96a6e7dd8e89d58cfceb57922bb8affff4ad7cb834b776b6e9e0cad5be7f6157231b13833f094fe7b1dfa2f1cc79d141d323b97a86e4e979
Malware Config
Extracted
gozi_ifsb
1010
sys.mohitsagarmusic.com/bcms/assets/img
sys.dylanlake653.com/bcms/assets/img
sys.cozmoattire.com/bcms/assets/img
sys.nahualbrand.com/bcms/assets/img
lansystemstat.com/bcms/assets/img
highnetwork.pw/bcms/assets/img
lostnetwork.in/bcms/assets/img
sysconnections.net/bcms/assets/img
lansupports.com/bcms/assets/img
-
exe_type
worker
-
server_id
35
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exedescription pid process target process PID 1540 set thread context of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exepid process 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exedescription pid process target process PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe PID 1540 wrote to memory of 884 1540 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe 11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe"C:\Users\Admin\AppData\Local\Temp\11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe"C:\Users\Admin\AppData\Local\Temp\11c554a1ed8952b63677542071f87a7349d0d508371e61236c82b3de62ce8845.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/884-57-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/884-58-0x0000000000401076-mapping.dmp
-
memory/884-61-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/884-62-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/884-63-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1540-56-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB