Analysis
-
max time kernel
165s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:07
Static task
static1
Behavioral task
behavioral1
Sample
eba1ce4d16eebf23a29d4d2ef10a69474d271d2851758f82fd9975a75b0ca9ea.dll
Resource
win7-20221111-en
General
-
Target
eba1ce4d16eebf23a29d4d2ef10a69474d271d2851758f82fd9975a75b0ca9ea.dll
-
Size
1.1MB
-
MD5
9d466161d5dde02bdf338c3151654db4
-
SHA1
6ddb9a8649a780a15a2f9b7d64262260d9c4a534
-
SHA256
eba1ce4d16eebf23a29d4d2ef10a69474d271d2851758f82fd9975a75b0ca9ea
-
SHA512
c868aa61f52ba125a7237b223f7d2a2801224e7dca34027abde2ff7b0785f2410194eb58df068a925d6bdea0305ee4d9a23072c110eb14d7c18c99c61aeb36bb
-
SSDEEP
24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69/TGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc48
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://drunt.at
http://news-deck.at
http://taslks.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adhap_ps = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypktop\\AzSqprop.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 7 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEdescription pid process target process PID 3368 set thread context of 3556 3368 rundll32.exe control.exe PID 3556 set thread context of 704 3556 control.exe Explorer.EXE PID 704 set thread context of 3456 704 Explorer.EXE RuntimeBroker.exe PID 704 set thread context of 3728 704 Explorer.EXE RuntimeBroker.exe PID 3556 set thread context of 3684 3556 control.exe rundll32.exe PID 704 set thread context of 4664 704 Explorer.EXE RuntimeBroker.exe PID 704 set thread context of 988 704 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exeExplorer.EXEpid process 3368 rundll32.exe 3368 rundll32.exe 704 Explorer.EXE 704 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 704 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEpid process 3368 rundll32.exe 3556 control.exe 704 Explorer.EXE 704 Explorer.EXE 3556 control.exe 704 Explorer.EXE 704 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Explorer.EXERuntimeBroker.exedescription pid process Token: SeShutdownPrivilege 704 Explorer.EXE Token: SeCreatePagefilePrivilege 704 Explorer.EXE Token: SeShutdownPrivilege 3456 RuntimeBroker.exe Token: SeShutdownPrivilege 3456 RuntimeBroker.exe Token: SeShutdownPrivilege 704 Explorer.EXE Token: SeCreatePagefilePrivilege 704 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 704 Explorer.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 3176 wrote to memory of 3368 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 3368 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 3368 3176 rundll32.exe rundll32.exe PID 3368 wrote to memory of 3556 3368 rundll32.exe control.exe PID 3368 wrote to memory of 3556 3368 rundll32.exe control.exe PID 3368 wrote to memory of 3556 3368 rundll32.exe control.exe PID 3368 wrote to memory of 3556 3368 rundll32.exe control.exe PID 3368 wrote to memory of 3556 3368 rundll32.exe control.exe PID 3556 wrote to memory of 704 3556 control.exe Explorer.EXE PID 3556 wrote to memory of 704 3556 control.exe Explorer.EXE PID 3556 wrote to memory of 704 3556 control.exe Explorer.EXE PID 704 wrote to memory of 3456 704 Explorer.EXE RuntimeBroker.exe PID 3556 wrote to memory of 3684 3556 control.exe rundll32.exe PID 3556 wrote to memory of 3684 3556 control.exe rundll32.exe PID 3556 wrote to memory of 3684 3556 control.exe rundll32.exe PID 704 wrote to memory of 3456 704 Explorer.EXE RuntimeBroker.exe PID 704 wrote to memory of 3456 704 Explorer.EXE RuntimeBroker.exe PID 704 wrote to memory of 3728 704 Explorer.EXE RuntimeBroker.exe PID 704 wrote to memory of 3728 704 Explorer.EXE RuntimeBroker.exe PID 704 wrote to memory of 3728 704 Explorer.EXE RuntimeBroker.exe PID 704 wrote to memory of 4664 704 Explorer.EXE RuntimeBroker.exe PID 3556 wrote to memory of 3684 3556 control.exe rundll32.exe PID 3556 wrote to memory of 3684 3556 control.exe rundll32.exe PID 704 wrote to memory of 4664 704 Explorer.EXE RuntimeBroker.exe PID 704 wrote to memory of 4664 704 Explorer.EXE RuntimeBroker.exe PID 704 wrote to memory of 1016 704 Explorer.EXE cmd.exe PID 704 wrote to memory of 1016 704 Explorer.EXE cmd.exe PID 1016 wrote to memory of 1368 1016 cmd.exe nslookup.exe PID 1016 wrote to memory of 1368 1016 cmd.exe nslookup.exe PID 704 wrote to memory of 608 704 Explorer.EXE cmd.exe PID 704 wrote to memory of 608 704 Explorer.EXE cmd.exe PID 704 wrote to memory of 988 704 Explorer.EXE cmd.exe PID 704 wrote to memory of 988 704 Explorer.EXE cmd.exe PID 704 wrote to memory of 988 704 Explorer.EXE cmd.exe PID 704 wrote to memory of 988 704 Explorer.EXE cmd.exe PID 704 wrote to memory of 988 704 Explorer.EXE cmd.exe PID 704 wrote to memory of 988 704 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eba1ce4d16eebf23a29d4d2ef10a69474d271d2851758f82fd9975a75b0ca9ea.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eba1ce4d16eebf23a29d4d2ef10a69474d271d2851758f82fd9975a75b0ca9ea.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\1C9C.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1C9C.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1C9C.bi1Filesize
107B
MD582f12896705faeb1630b62f16d5f5cc8
SHA19ed376a84dd777c28d4510cd747da4fbbc2ff63b
SHA256caccfc569992c55c1e532dd816a6e1846281397127c61e3403294d527780a35e
SHA512e1f04928aea8e710cd34fd6a0580ad9fe2f045485574b1ba4e4e7db376cffd9dacbc15e51f54cb247a85985739b0d70b9e783c1e573ceb8785fc0662be35c379
-
C:\Users\Admin\AppData\Local\Temp\1C9C.bi1Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypktop\AzSqprop.dllFilesize
1.1MB
MD59d466161d5dde02bdf338c3151654db4
SHA16ddb9a8649a780a15a2f9b7d64262260d9c4a534
SHA256eba1ce4d16eebf23a29d4d2ef10a69474d271d2851758f82fd9975a75b0ca9ea
SHA512c868aa61f52ba125a7237b223f7d2a2801224e7dca34027abde2ff7b0785f2410194eb58df068a925d6bdea0305ee4d9a23072c110eb14d7c18c99c61aeb36bb
-
memory/608-155-0x0000000000000000-mapping.dmp
-
memory/704-147-0x00000000026A0000-0x0000000002754000-memory.dmpFilesize
720KB
-
memory/988-160-0x0000000000B90000-0x0000000000C37000-memory.dmpFilesize
668KB
-
memory/988-159-0x0000000000436B20-0x0000000000436B24-memory.dmpFilesize
4B
-
memory/988-158-0x0000000000000000-mapping.dmp
-
memory/1016-153-0x0000000000000000-mapping.dmp
-
memory/1368-154-0x0000000000000000-mapping.dmp
-
memory/3368-144-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/3368-132-0x0000000000000000-mapping.dmp
-
memory/3368-136-0x00000000007F0000-0x000000000083B000-memory.dmpFilesize
300KB
-
memory/3368-135-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/3368-134-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/3368-133-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/3456-149-0x000001F5A5000000-0x000001F5A50B4000-memory.dmpFilesize
720KB
-
memory/3556-143-0x0000000000000000-mapping.dmp
-
memory/3556-148-0x0000000000730000-0x00000000007E4000-memory.dmpFilesize
720KB
-
memory/3684-151-0x00000226FCE40000-0x00000226FCEF4000-memory.dmpFilesize
720KB
-
memory/3684-146-0x0000000000000000-mapping.dmp
-
memory/3728-150-0x00000168C9690000-0x00000168C9744000-memory.dmpFilesize
720KB
-
memory/4664-152-0x000001F44DD30000-0x000001F44DDE4000-memory.dmpFilesize
720KB