Analysis
-
max time kernel
61s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 07:54
Static task
static1
Behavioral task
behavioral1
Sample
1dba5f321b3b289692f794c663ba008a9424f2a845f4b453e00ce0ea52450845.dll
Resource
win7-20220812-en
2 signatures
150 seconds
General
-
Target
1dba5f321b3b289692f794c663ba008a9424f2a845f4b453e00ce0ea52450845.dll
-
Size
364KB
-
MD5
32a1ba8b559bf66052bc2eac774696ad
-
SHA1
8aacf9a09a59b703d9f24afc16188eb097f32710
-
SHA256
1dba5f321b3b289692f794c663ba008a9424f2a845f4b453e00ce0ea52450845
-
SHA512
683605a70b1c808430c7f5fea10ab23fa7e064afb2bf2f8b87aeeb1cc3c71732245b9533c421125fc89a35f9020a5a88d5be6886b16a9bfb64c2118fb38bc311
-
SSDEEP
6144:dMMEq6F3ZmdajnNFNxGYl67WJJW5ZtxfkUWHO8QzzAc:dMMEq6l1jNHxGdyJ0XfGHWzAc
Malware Config
Extracted
Family
gozi_ifsb
Botnet
1500
C2
app10.laptok.at
apt.feel500.at
init.in100k.at
Attributes
-
build
250188
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
regsvr32.exedescription pid process target process PID 3628 wrote to memory of 2156 3628 regsvr32.exe regsvr32.exe PID 3628 wrote to memory of 2156 3628 regsvr32.exe regsvr32.exe PID 3628 wrote to memory of 2156 3628 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1dba5f321b3b289692f794c663ba008a9424f2a845f4b453e00ce0ea52450845.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1dba5f321b3b289692f794c663ba008a9424f2a845f4b453e00ce0ea52450845.dll2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2156-132-0x0000000000000000-mapping.dmp
-
memory/2156-133-0x0000000074A00000-0x0000000074A0D000-memory.dmpFilesize
52KB
-
memory/2156-134-0x0000000074A00000-0x0000000074F69000-memory.dmpFilesize
5.4MB
-
memory/2156-135-0x0000000074A00000-0x0000000074F69000-memory.dmpFilesize
5.4MB
-
memory/2156-136-0x0000000074A00000-0x0000000074F69000-memory.dmpFilesize
5.4MB