Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 21:07
Static task
static1
Behavioral task
behavioral1
Sample
98ff05d78e476e05838f7483d6d47aa91123cabbf8b5123989bd7e2969778c61.dll
Resource
win7-20221111-en
General
-
Target
98ff05d78e476e05838f7483d6d47aa91123cabbf8b5123989bd7e2969778c61.dll
-
Size
1.1MB
-
MD5
640895fa0a1c22cf32b63cdd43727225
-
SHA1
6ed85dca7bbd489ed0e404337e855df3d835d0ae
-
SHA256
98ff05d78e476e05838f7483d6d47aa91123cabbf8b5123989bd7e2969778c61
-
SHA512
bc40a3e79b9c076048b3e239f81368fde349b11e67c0daa1121a39595eafe676178d816ce354639e737f6fb94e1b84769f20296374d23e516985de5316c28f3b
-
SSDEEP
24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69oTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4L
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://drunt.at
http://news-deck.at
http://taslks.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Certsadu = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Dmocsenh\\blbrroxy.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEdescription pid process target process PID 1432 set thread context of 884 1432 rundll32.exe control.exe PID 884 set thread context of 1284 884 control.exe Explorer.EXE PID 884 set thread context of 924 884 control.exe rundll32.exe PID 1284 set thread context of 1596 1284 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exeExplorer.EXEpid process 1432 rundll32.exe 1284 Explorer.EXE -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEpid process 1432 rundll32.exe 884 control.exe 884 control.exe 1284 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 1552 wrote to memory of 1432 1552 rundll32.exe rundll32.exe PID 1552 wrote to memory of 1432 1552 rundll32.exe rundll32.exe PID 1552 wrote to memory of 1432 1552 rundll32.exe rundll32.exe PID 1552 wrote to memory of 1432 1552 rundll32.exe rundll32.exe PID 1552 wrote to memory of 1432 1552 rundll32.exe rundll32.exe PID 1552 wrote to memory of 1432 1552 rundll32.exe rundll32.exe PID 1552 wrote to memory of 1432 1552 rundll32.exe rundll32.exe PID 1432 wrote to memory of 884 1432 rundll32.exe control.exe PID 1432 wrote to memory of 884 1432 rundll32.exe control.exe PID 1432 wrote to memory of 884 1432 rundll32.exe control.exe PID 1432 wrote to memory of 884 1432 rundll32.exe control.exe PID 1432 wrote to memory of 884 1432 rundll32.exe control.exe PID 1432 wrote to memory of 884 1432 rundll32.exe control.exe PID 1432 wrote to memory of 884 1432 rundll32.exe control.exe PID 884 wrote to memory of 1284 884 control.exe Explorer.EXE PID 884 wrote to memory of 1284 884 control.exe Explorer.EXE PID 884 wrote to memory of 1284 884 control.exe Explorer.EXE PID 884 wrote to memory of 924 884 control.exe rundll32.exe PID 884 wrote to memory of 924 884 control.exe rundll32.exe PID 884 wrote to memory of 924 884 control.exe rundll32.exe PID 884 wrote to memory of 924 884 control.exe rundll32.exe PID 884 wrote to memory of 924 884 control.exe rundll32.exe PID 884 wrote to memory of 924 884 control.exe rundll32.exe PID 1284 wrote to memory of 816 1284 Explorer.EXE cmd.exe PID 1284 wrote to memory of 816 1284 Explorer.EXE cmd.exe PID 1284 wrote to memory of 816 1284 Explorer.EXE cmd.exe PID 816 wrote to memory of 1572 816 cmd.exe nslookup.exe PID 816 wrote to memory of 1572 816 cmd.exe nslookup.exe PID 816 wrote to memory of 1572 816 cmd.exe nslookup.exe PID 1284 wrote to memory of 1252 1284 Explorer.EXE cmd.exe PID 1284 wrote to memory of 1252 1284 Explorer.EXE cmd.exe PID 1284 wrote to memory of 1252 1284 Explorer.EXE cmd.exe PID 1284 wrote to memory of 1596 1284 Explorer.EXE cmd.exe PID 1284 wrote to memory of 1596 1284 Explorer.EXE cmd.exe PID 1284 wrote to memory of 1596 1284 Explorer.EXE cmd.exe PID 1284 wrote to memory of 1596 1284 Explorer.EXE cmd.exe PID 1284 wrote to memory of 1596 1284 Explorer.EXE cmd.exe PID 1284 wrote to memory of 1596 1284 Explorer.EXE cmd.exe PID 1284 wrote to memory of 1596 1284 Explorer.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\98ff05d78e476e05838f7483d6d47aa91123cabbf8b5123989bd7e2969778c61.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\98ff05d78e476e05838f7483d6d47aa91123cabbf8b5123989bd7e2969778c61.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\1BC0.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1BC0.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1BC0.bi1Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
C:\Users\Admin\AppData\Local\Temp\1BC0.bi1Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Dmocsenh\blbrroxy.dllFilesize
1.1MB
MD5640895fa0a1c22cf32b63cdd43727225
SHA16ed85dca7bbd489ed0e404337e855df3d835d0ae
SHA25698ff05d78e476e05838f7483d6d47aa91123cabbf8b5123989bd7e2969778c61
SHA512bc40a3e79b9c076048b3e239f81368fde349b11e67c0daa1121a39595eafe676178d816ce354639e737f6fb94e1b84769f20296374d23e516985de5316c28f3b
-
memory/816-75-0x0000000000000000-mapping.dmp
-
memory/884-74-0x0000000000390000-0x0000000000444000-memory.dmpFilesize
720KB
-
memory/884-72-0x0000000000390000-0x0000000000444000-memory.dmpFilesize
720KB
-
memory/884-66-0x0000000000000000-mapping.dmp
-
memory/884-68-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmpFilesize
8KB
-
memory/924-70-0x0000000000000000-mapping.dmp
-
memory/924-73-0x0000000001B90000-0x0000000001C44000-memory.dmpFilesize
720KB
-
memory/1252-77-0x0000000000000000-mapping.dmp
-
memory/1284-71-0x0000000003DB0000-0x0000000003E64000-memory.dmpFilesize
720KB
-
memory/1432-57-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/1432-59-0x0000000000220000-0x000000000026B000-memory.dmpFilesize
300KB
-
memory/1432-58-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/1432-67-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/1432-54-0x0000000000000000-mapping.dmp
-
memory/1432-56-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1432-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmpFilesize
8KB
-
memory/1572-76-0x0000000000000000-mapping.dmp
-
memory/1596-80-0x0000000000000000-mapping.dmp
-
memory/1596-81-0x00000000001C0000-0x0000000000267000-memory.dmpFilesize
668KB