Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:08
Static task
static1
Behavioral task
behavioral1
Sample
39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857.dll
Resource
win7-20221111-en
General
-
Target
39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857.dll
-
Size
1.1MB
-
MD5
eca15499ba78aa5aaf8d3ad2311ec097
-
SHA1
d30a04f76ad83f643342238411e5aebaef0b3442
-
SHA256
39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857
-
SHA512
2f34444ea9504a26bbba3748723737766f51cb83d94df375b15e423492424d50f4cc5b80ad8524f023e38cd5de6faf42b47b4f4b21de0386bc7154ccd21807bf
-
SSDEEP
24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69vTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4s
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://drunt.at
http://news-deck.at
http://taslks.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dhcptCSP = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Adsnuery\\altsCore.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 7 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEdescription pid process target process PID 1852 set thread context of 4336 1852 rundll32.exe control.exe PID 4336 set thread context of 2096 4336 control.exe Explorer.EXE PID 2096 set thread context of 3456 2096 Explorer.EXE RuntimeBroker.exe PID 2096 set thread context of 3808 2096 Explorer.EXE RuntimeBroker.exe PID 2096 set thread context of 4716 2096 Explorer.EXE RuntimeBroker.exe PID 4336 set thread context of 4804 4336 control.exe rundll32.exe PID 2096 set thread context of 2640 2096 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exeExplorer.EXEpid process 1852 rundll32.exe 1852 rundll32.exe 2096 Explorer.EXE 2096 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2096 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEpid process 1852 rundll32.exe 4336 control.exe 2096 Explorer.EXE 2096 Explorer.EXE 2096 Explorer.EXE 4336 control.exe 2096 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
Explorer.EXERuntimeBroker.exedescription pid process Token: SeShutdownPrivilege 2096 Explorer.EXE Token: SeCreatePagefilePrivilege 2096 Explorer.EXE Token: SeShutdownPrivilege 3456 RuntimeBroker.exe Token: SeShutdownPrivilege 3456 RuntimeBroker.exe Token: SeShutdownPrivilege 2096 Explorer.EXE Token: SeCreatePagefilePrivilege 2096 Explorer.EXE Token: SeShutdownPrivilege 2096 Explorer.EXE Token: SeCreatePagefilePrivilege 2096 Explorer.EXE Token: SeShutdownPrivilege 2096 Explorer.EXE Token: SeCreatePagefilePrivilege 2096 Explorer.EXE Token: SeShutdownPrivilege 2096 Explorer.EXE Token: SeCreatePagefilePrivilege 2096 Explorer.EXE Token: SeShutdownPrivilege 2096 Explorer.EXE Token: SeCreatePagefilePrivilege 2096 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 2096 Explorer.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 2176 wrote to memory of 1852 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 1852 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 1852 2176 rundll32.exe rundll32.exe PID 1852 wrote to memory of 4336 1852 rundll32.exe control.exe PID 1852 wrote to memory of 4336 1852 rundll32.exe control.exe PID 1852 wrote to memory of 4336 1852 rundll32.exe control.exe PID 1852 wrote to memory of 4336 1852 rundll32.exe control.exe PID 1852 wrote to memory of 4336 1852 rundll32.exe control.exe PID 4336 wrote to memory of 2096 4336 control.exe Explorer.EXE PID 4336 wrote to memory of 2096 4336 control.exe Explorer.EXE PID 4336 wrote to memory of 2096 4336 control.exe Explorer.EXE PID 2096 wrote to memory of 3456 2096 Explorer.EXE RuntimeBroker.exe PID 2096 wrote to memory of 3456 2096 Explorer.EXE RuntimeBroker.exe PID 2096 wrote to memory of 3456 2096 Explorer.EXE RuntimeBroker.exe PID 2096 wrote to memory of 3808 2096 Explorer.EXE RuntimeBroker.exe PID 4336 wrote to memory of 4804 4336 control.exe rundll32.exe PID 4336 wrote to memory of 4804 4336 control.exe rundll32.exe PID 4336 wrote to memory of 4804 4336 control.exe rundll32.exe PID 2096 wrote to memory of 3808 2096 Explorer.EXE RuntimeBroker.exe PID 2096 wrote to memory of 3808 2096 Explorer.EXE RuntimeBroker.exe PID 2096 wrote to memory of 4716 2096 Explorer.EXE RuntimeBroker.exe PID 2096 wrote to memory of 4716 2096 Explorer.EXE RuntimeBroker.exe PID 2096 wrote to memory of 4716 2096 Explorer.EXE RuntimeBroker.exe PID 4336 wrote to memory of 4804 4336 control.exe rundll32.exe PID 4336 wrote to memory of 4804 4336 control.exe rundll32.exe PID 2096 wrote to memory of 2760 2096 Explorer.EXE cmd.exe PID 2096 wrote to memory of 2760 2096 Explorer.EXE cmd.exe PID 2760 wrote to memory of 3532 2760 cmd.exe nslookup.exe PID 2760 wrote to memory of 3532 2760 cmd.exe nslookup.exe PID 2096 wrote to memory of 64 2096 Explorer.EXE cmd.exe PID 2096 wrote to memory of 64 2096 Explorer.EXE cmd.exe PID 2096 wrote to memory of 2640 2096 Explorer.EXE cmd.exe PID 2096 wrote to memory of 2640 2096 Explorer.EXE cmd.exe PID 2096 wrote to memory of 2640 2096 Explorer.EXE cmd.exe PID 2096 wrote to memory of 2640 2096 Explorer.EXE cmd.exe PID 2096 wrote to memory of 2640 2096 Explorer.EXE cmd.exe PID 2096 wrote to memory of 2640 2096 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\39291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\EB74.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EB74.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EB74.bi1Filesize
71B
MD51792be16e4b67d0f9ff430d4fce9e72b
SHA13f45cc3c374a72426471fe0095b54b4f4b48395f
SHA2565a65f4bcc907ae201e795219a5b65a43ee1dae209cca2f9c50112050716febde
SHA512b16ed0ebbfa66afc005ef5b011ebb502c710b78f832219bbda73b0db00898b23d70d096db80a73b68633c895490d1263743c52b88291875e007971e8249d347b
-
C:\Users\Admin\AppData\Local\Temp\EB74.bi1Filesize
82B
MD51616f65c811cb62cf00f17c94a9cbc04
SHA1b2867938a622ebae050e450053d546bfac2010c7
SHA2563b34c69e292128649217b26b9de9d75fe2c285d82773a37e100d9ad4db5fb256
SHA51288c58f437c198e113f038e90311894bdf03b06ae6bff28f9c4242b51655f8bb8de15f237aa45fb9e730dab70ebc34c9e9c635f32702626b729dd4a6aa92c78ad
-
C:\Users\Admin\AppData\Roaming\Microsoft\Adsnuery\altsCore.dllFilesize
1.1MB
MD5eca15499ba78aa5aaf8d3ad2311ec097
SHA1d30a04f76ad83f643342238411e5aebaef0b3442
SHA25639291f03b3f4b0230fb3920f36e6d260a8f0f498c1fb597a426981cfb0fa0857
SHA5122f34444ea9504a26bbba3748723737766f51cb83d94df375b15e423492424d50f4cc5b80ad8524f023e38cd5de6faf42b47b4f4b21de0386bc7154ccd21807bf
-
memory/64-161-0x0000000000000000-mapping.dmp
-
memory/1852-132-0x0000000000000000-mapping.dmp
-
memory/1852-133-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/1852-134-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/1852-135-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/1852-136-0x0000000000740000-0x000000000078B000-memory.dmpFilesize
300KB
-
memory/1852-144-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/2096-168-0x0000000000A60000-0x0000000000A70000-memory.dmpFilesize
64KB
-
memory/2096-157-0x0000000000B40000-0x0000000000B50000-memory.dmpFilesize
64KB
-
memory/2096-169-0x0000000000B40000-0x0000000000B50000-memory.dmpFilesize
64KB
-
memory/2096-173-0x0000000000A80000-0x0000000000A90000-memory.dmpFilesize
64KB
-
memory/2096-146-0x00000000071B0000-0x0000000007264000-memory.dmpFilesize
720KB
-
memory/2096-167-0x0000000000A50000-0x0000000000A60000-memory.dmpFilesize
64KB
-
memory/2096-154-0x00000000071B0000-0x0000000007264000-memory.dmpFilesize
720KB
-
memory/2096-172-0x0000000000A80000-0x0000000000A90000-memory.dmpFilesize
64KB
-
memory/2096-171-0x0000000000A80000-0x0000000000A90000-memory.dmpFilesize
64KB
-
memory/2096-170-0x0000000000A50000-0x0000000000A60000-memory.dmpFilesize
64KB
-
memory/2096-158-0x0000000000A50000-0x0000000000A60000-memory.dmpFilesize
64KB
-
memory/2096-159-0x0000000000A60000-0x0000000000A70000-memory.dmpFilesize
64KB
-
memory/2096-160-0x0000000000A60000-0x0000000000A70000-memory.dmpFilesize
64KB
-
memory/2640-166-0x00000000006A0000-0x0000000000747000-memory.dmpFilesize
668KB
-
memory/2640-164-0x0000000000000000-mapping.dmp
-
memory/2640-165-0x00000000007A6B20-0x00000000007A6B24-memory.dmpFilesize
4B
-
memory/2760-155-0x0000000000000000-mapping.dmp
-
memory/3456-151-0x0000018A56BC0000-0x0000018A56C74000-memory.dmpFilesize
720KB
-
memory/3532-156-0x0000000000000000-mapping.dmp
-
memory/3808-152-0x000001990E380000-0x000001990E434000-memory.dmpFilesize
720KB
-
memory/4336-150-0x00000000004A0000-0x0000000000554000-memory.dmpFilesize
720KB
-
memory/4336-147-0x00000000004A0000-0x0000000000554000-memory.dmpFilesize
720KB
-
memory/4336-143-0x0000000000000000-mapping.dmp
-
memory/4716-153-0x00000191844E0000-0x0000019184594000-memory.dmpFilesize
720KB
-
memory/4804-149-0x0000025B8F370000-0x0000025B8F424000-memory.dmpFilesize
720KB
-
memory/4804-148-0x0000000000000000-mapping.dmp