Analysis
-
max time kernel
169s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:35
General
-
Target
71d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e.dll
-
Size
1.1MB
-
MD5
8f0ffcd74556bcc700158d38e02b00ee
-
SHA1
8e8706b6394a205eb4cb5d23dcb1f5fe5a0bafab
-
SHA256
71d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e
-
SHA512
eab7b400a0288a725196904228d38466efa6f0a120666781dee2fae0ac34f5275eb628e7a06af73f4fefec6d18e21e972c3e5cb133541809876daa4d52ea0517
Malware Config
Extracted
gozi_ifsb
1000
http://ey7kuuklgieop2pq.onion
http://shoshanna.at
http://buismashallah.at
-
build
217027
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\81D0.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\81D0.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\81D0.bi1Filesize
118B
MD5ace7e9f29953c4fbd6a930b50f792079
SHA197511e3438221ac9c30944fca7b91e87978c1248
SHA25658b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8
SHA5125dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106
-
C:\Users\Admin\AppData\Local\Temp\81D0.bi1Filesize
118B
MD5ace7e9f29953c4fbd6a930b50f792079
SHA197511e3438221ac9c30944fca7b91e87978c1248
SHA25658b498e17cfc59584aae9620ca60d657e3691c7bfc1896e581f3f9292390bfd8
SHA5125dc35105667f0e1231fd21b85a7dbc65f207251efbbe173545d8f0172272b0ad68cc084514f8b034b998194a4e63b29ffb862243c65bf14ab0eba3ee2d081106
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypider\bridclen.dllFilesize
1.1MB
MD58f0ffcd74556bcc700158d38e02b00ee
SHA18e8706b6394a205eb4cb5d23dcb1f5fe5a0bafab
SHA25671d9e57d89e3860945c8387a30003019db562b400b8622fa016269344179193e
SHA512eab7b400a0288a725196904228d38466efa6f0a120666781dee2fae0ac34f5275eb628e7a06af73f4fefec6d18e21e972c3e5cb133541809876daa4d52ea0517
-
memory/224-157-0x0000000000000000-mapping.dmp
-
memory/1424-158-0x0000000000000000-mapping.dmp
-
memory/1848-137-0x0000000002360000-0x0000000002D7B000-memory.dmpFilesize
10.1MB
-
memory/1848-136-0x0000000002361000-0x0000000002418000-memory.dmpFilesize
732KB
-
memory/1848-139-0x0000000000BF0000-0x0000000000C3A000-memory.dmpFilesize
296KB
-
memory/1848-132-0x0000000002360000-0x0000000002D7B000-memory.dmpFilesize
10.1MB
-
memory/1848-147-0x0000000002360000-0x0000000002D7B000-memory.dmpFilesize
10.1MB
-
memory/1848-135-0x0000000002360000-0x00000000023AB000-memory.dmpFilesize
300KB
-
memory/1848-131-0x0000000000000000-mapping.dmp
-
memory/1848-138-0x0000000002360000-0x0000000002D7B000-memory.dmpFilesize
10.1MB
-
memory/1848-134-0x0000000002360000-0x0000000002D7B000-memory.dmpFilesize
10.1MB
-
memory/2260-162-0x0000000000116B20-0x0000000000116B24-memory.dmpFilesize
4B
-
memory/2260-161-0x0000000000000000-mapping.dmp
-
memory/2260-163-0x0000000000DC0000-0x0000000000E64000-memory.dmpFilesize
656KB
-
memory/3292-149-0x0000000003380000-0x0000000003431000-memory.dmpFilesize
708KB
-
memory/3772-152-0x000002C9F0DB0000-0x000002C9F0E61000-memory.dmpFilesize
708KB
-
memory/3992-153-0x000001500FC30000-0x000001500FCE1000-memory.dmpFilesize
708KB
-
memory/4604-156-0x0000000000000000-mapping.dmp
-
memory/4724-155-0x0000000000B40000-0x0000000000BF1000-memory.dmpFilesize
708KB
-
memory/4724-151-0x0000000000B40000-0x0000000000BF1000-memory.dmpFilesize
708KB
-
memory/4724-146-0x0000000000000000-mapping.dmp
-
memory/5100-154-0x000001E1867F0000-0x000001E1868A1000-memory.dmpFilesize
708KB
-
memory/5100-150-0x0000000000000000-mapping.dmp