Analysis
-
max time kernel
169s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
71d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
71d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e.dll
Resource
win10v2004-20220414-en
General
-
Target
71d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e.dll
-
Size
1.1MB
-
MD5
8f0ffcd74556bcc700158d38e02b00ee
-
SHA1
8e8706b6394a205eb4cb5d23dcb1f5fe5a0bafab
-
SHA256
71d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e
-
SHA512
eab7b400a0288a725196904228d38466efa6f0a120666781dee2fae0ac34f5275eb628e7a06af73f4fefec6d18e21e972c3e5cb133541809876daa4d52ea0517
Malware Config
Extracted
gozi_ifsb
1000
http://ey7kuuklgieop2pq.onion
http://shoshanna.at
http://buismashallah.at
-
build
217027
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfshngle = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypider\\bridclen.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 6 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEdescription pid process target process PID 1848 set thread context of 4724 1848 rundll32.exe control.exe PID 4724 set thread context of 3292 4724 control.exe Explorer.EXE PID 3292 set thread context of 3772 3292 Explorer.EXE RuntimeBroker.exe PID 3292 set thread context of 3992 3292 Explorer.EXE RuntimeBroker.exe PID 4724 set thread context of 5100 4724 control.exe rundll32.exe PID 3292 set thread context of 2260 3292 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exeExplorer.EXEpid process 1848 rundll32.exe 1848 rundll32.exe 3292 Explorer.EXE 3292 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3292 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEpid process 1848 rundll32.exe 4724 control.exe 3292 Explorer.EXE 3292 Explorer.EXE 4724 control.exe 3292 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE Token: SeShutdownPrivilege 3292 Explorer.EXE Token: SeCreatePagefilePrivilege 3292 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 3292 Explorer.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 4420 wrote to memory of 1848 4420 rundll32.exe rundll32.exe PID 4420 wrote to memory of 1848 4420 rundll32.exe rundll32.exe PID 4420 wrote to memory of 1848 4420 rundll32.exe rundll32.exe PID 1848 wrote to memory of 4724 1848 rundll32.exe control.exe PID 1848 wrote to memory of 4724 1848 rundll32.exe control.exe PID 1848 wrote to memory of 4724 1848 rundll32.exe control.exe PID 1848 wrote to memory of 4724 1848 rundll32.exe control.exe PID 1848 wrote to memory of 4724 1848 rundll32.exe control.exe PID 4724 wrote to memory of 3292 4724 control.exe Explorer.EXE PID 4724 wrote to memory of 3292 4724 control.exe Explorer.EXE PID 4724 wrote to memory of 3292 4724 control.exe Explorer.EXE PID 3292 wrote to memory of 3772 3292 Explorer.EXE RuntimeBroker.exe PID 3292 wrote to memory of 3772 3292 Explorer.EXE RuntimeBroker.exe PID 3292 wrote to memory of 3772 3292 Explorer.EXE RuntimeBroker.exe PID 3292 wrote to memory of 3992 3292 Explorer.EXE RuntimeBroker.exe PID 3292 wrote to memory of 3992 3292 Explorer.EXE RuntimeBroker.exe PID 3292 wrote to memory of 3992 3292 Explorer.EXE RuntimeBroker.exe PID 4724 wrote to memory of 5100 4724 control.exe rundll32.exe PID 4724 wrote to memory of 5100 4724 control.exe rundll32.exe PID 4724 wrote to memory of 5100 4724 control.exe rundll32.exe PID 4724 wrote to memory of 5100 4724 control.exe rundll32.exe PID 4724 wrote to memory of 5100 4724 control.exe rundll32.exe PID 3292 wrote to memory of 4604 3292 Explorer.EXE cmd.exe PID 3292 wrote to memory of 4604 3292 Explorer.EXE cmd.exe PID 4604 wrote to memory of 224 4604 cmd.exe nslookup.exe PID 4604 wrote to memory of 224 4604 cmd.exe nslookup.exe PID 3292 wrote to memory of 1424 3292 Explorer.EXE cmd.exe PID 3292 wrote to memory of 1424 3292 Explorer.EXE cmd.exe PID 3292 wrote to memory of 2260 3292 Explorer.EXE cmd.exe PID 3292 wrote to memory of 2260 3292 Explorer.EXE cmd.exe PID 3292 wrote to memory of 2260 3292 Explorer.EXE cmd.exe PID 3292 wrote to memory of 2260 3292 Explorer.EXE cmd.exe PID 3292 wrote to memory of 2260 3292 Explorer.EXE cmd.exe PID 3292 wrote to memory of 2260 3292 Explorer.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\81D0.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\81D0.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\81D0.bi1Filesize
118B
MD5ace7e9f29953c4fbd6a930b50f792079
SHA197511e3438221ac9c30944fca7b91e87978c1248
SHA25658b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8
SHA5125dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106
-
C:\Users\Admin\AppData\Local\Temp\81D0.bi1Filesize
118B
MD5ace7e9f29953c4fbd6a930b50f792079
SHA197511e3438221ac9c30944fca7b91e87978c1248
SHA25658b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8
SHA5125dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypider\bridclen.dllFilesize
1.1MB
MD58f0ffcd74556bcc700158d38e02b00ee
SHA18e8706b6394a205eb4cb5d23dcb1f5fe5a0bafab
SHA25671d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e
SHA512eab7b400a0288a725196904228d38466efa6f0a120666781dee2fae0ac34f5275eb628e7a06af73f4fefec6d18e21e972c3e5cb133541809876daa4d52ea0517
-
memory/224-157-0x0000000000000000-mapping.dmp
-
memory/1424-158-0x0000000000000000-mapping.dmp
-
memory/1848-137-0x0000000002360000-0x0000000002D7B000-memory.dmpFilesize
10.1MB
-
memory/1848-136-0x0000000002361000-0x0000000002418000-memory.dmpFilesize
732KB
-
memory/1848-139-0x0000000000BF0000-0x0000000000C3A000-memory.dmpFilesize
296KB
-
memory/1848-132-0x0000000002360000-0x0000000002D7B000-memory.dmpFilesize
10.1MB
-
memory/1848-147-0x0000000002360000-0x0000000002D7B000-memory.dmpFilesize
10.1MB
-
memory/1848-135-0x0000000002360000-0x00000000023AB000-memory.dmpFilesize
300KB
-
memory/1848-131-0x0000000000000000-mapping.dmp
-
memory/1848-138-0x0000000002360000-0x0000000002D7B000-memory.dmpFilesize
10.1MB
-
memory/1848-134-0x0000000002360000-0x0000000002D7B000-memory.dmpFilesize
10.1MB
-
memory/2260-162-0x0000000000116B20-0x0000000000116B24-memory.dmpFilesize
4B
-
memory/2260-161-0x0000000000000000-mapping.dmp
-
memory/2260-163-0x0000000000DC0000-0x0000000000E64000-memory.dmpFilesize
656KB
-
memory/3292-149-0x0000000003380000-0x0000000003431000-memory.dmpFilesize
708KB
-
memory/3772-152-0x000002C9F0DB0000-0x000002C9F0E61000-memory.dmpFilesize
708KB
-
memory/3992-153-0x000001500FC30000-0x000001500FCE1000-memory.dmpFilesize
708KB
-
memory/4604-156-0x0000000000000000-mapping.dmp
-
memory/4724-155-0x0000000000B40000-0x0000000000BF1000-memory.dmpFilesize
708KB
-
memory/4724-151-0x0000000000B40000-0x0000000000BF1000-memory.dmpFilesize
708KB
-
memory/4724-146-0x0000000000000000-mapping.dmp
-
memory/5100-154-0x000001E1867F0000-0x000001E1868A1000-memory.dmpFilesize
708KB
-
memory/5100-150-0x0000000000000000-mapping.dmp