Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:07
Static task
static1
Behavioral task
behavioral1
Sample
4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a.dll
Resource
win7-20221111-en
General
-
Target
4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a.dll
-
Size
1.1MB
-
MD5
3267b8df7235b5333b7ac00059273fc1
-
SHA1
fb722196edc83de5c147d1bef4eb676d0ff67543
-
SHA256
4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a
-
SHA512
7c3ebdbfd368fb2e9794271a8d7bbef0e3753e2186dc6c4ef04d54590250c4a50d1b30ab0068f264b1f8872e99b14e5428a7a46f39343cd8a7f87aa51cbbe487
-
SSDEEP
24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69pTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4K
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://drunt.at
http://news-deck.at
http://taslks.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfmirces = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Charwork\\clict3ui.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 6 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEdescription pid process target process PID 3888 set thread context of 5008 3888 rundll32.exe control.exe PID 5008 set thread context of 2620 5008 control.exe Explorer.EXE PID 5008 set thread context of 3288 5008 control.exe rundll32.exe PID 2620 set thread context of 3432 2620 Explorer.EXE RuntimeBroker.exe PID 2620 set thread context of 3652 2620 Explorer.EXE RuntimeBroker.exe PID 2620 set thread context of 3376 2620 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exeExplorer.EXEpid process 3888 rundll32.exe 3888 rundll32.exe 2620 Explorer.EXE 2620 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2620 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEpid process 3888 rundll32.exe 5008 control.exe 5008 control.exe 2620 Explorer.EXE 2620 Explorer.EXE 2620 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Explorer.EXERuntimeBroker.exedescription pid process Token: SeShutdownPrivilege 2620 Explorer.EXE Token: SeCreatePagefilePrivilege 2620 Explorer.EXE Token: SeShutdownPrivilege 3432 RuntimeBroker.exe Token: SeShutdownPrivilege 2620 Explorer.EXE Token: SeCreatePagefilePrivilege 2620 Explorer.EXE Token: SeShutdownPrivilege 3432 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 2620 Explorer.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 4832 wrote to memory of 3888 4832 rundll32.exe rundll32.exe PID 4832 wrote to memory of 3888 4832 rundll32.exe rundll32.exe PID 4832 wrote to memory of 3888 4832 rundll32.exe rundll32.exe PID 3888 wrote to memory of 5008 3888 rundll32.exe control.exe PID 3888 wrote to memory of 5008 3888 rundll32.exe control.exe PID 3888 wrote to memory of 5008 3888 rundll32.exe control.exe PID 3888 wrote to memory of 5008 3888 rundll32.exe control.exe PID 3888 wrote to memory of 5008 3888 rundll32.exe control.exe PID 5008 wrote to memory of 2620 5008 control.exe Explorer.EXE PID 5008 wrote to memory of 2620 5008 control.exe Explorer.EXE PID 5008 wrote to memory of 2620 5008 control.exe Explorer.EXE PID 5008 wrote to memory of 3288 5008 control.exe rundll32.exe PID 5008 wrote to memory of 3288 5008 control.exe rundll32.exe PID 5008 wrote to memory of 3288 5008 control.exe rundll32.exe PID 5008 wrote to memory of 3288 5008 control.exe rundll32.exe PID 5008 wrote to memory of 3288 5008 control.exe rundll32.exe PID 2620 wrote to memory of 3432 2620 Explorer.EXE RuntimeBroker.exe PID 2620 wrote to memory of 3432 2620 Explorer.EXE RuntimeBroker.exe PID 2620 wrote to memory of 3432 2620 Explorer.EXE RuntimeBroker.exe PID 2620 wrote to memory of 3652 2620 Explorer.EXE RuntimeBroker.exe PID 2620 wrote to memory of 3652 2620 Explorer.EXE RuntimeBroker.exe PID 2620 wrote to memory of 3652 2620 Explorer.EXE RuntimeBroker.exe PID 2620 wrote to memory of 4408 2620 Explorer.EXE cmd.exe PID 2620 wrote to memory of 4408 2620 Explorer.EXE cmd.exe PID 4408 wrote to memory of 1880 4408 cmd.exe nslookup.exe PID 4408 wrote to memory of 1880 4408 cmd.exe nslookup.exe PID 2620 wrote to memory of 2492 2620 Explorer.EXE cmd.exe PID 2620 wrote to memory of 2492 2620 Explorer.EXE cmd.exe PID 2620 wrote to memory of 3376 2620 Explorer.EXE cmd.exe PID 2620 wrote to memory of 3376 2620 Explorer.EXE cmd.exe PID 2620 wrote to memory of 3376 2620 Explorer.EXE cmd.exe PID 2620 wrote to memory of 3376 2620 Explorer.EXE cmd.exe PID 2620 wrote to memory of 3376 2620 Explorer.EXE cmd.exe PID 2620 wrote to memory of 3376 2620 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\6467.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6467.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6467.bi1Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
C:\Users\Admin\AppData\Local\Temp\6467.bi1Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Charwork\clict3ui.dllFilesize
1.1MB
MD53267b8df7235b5333b7ac00059273fc1
SHA1fb722196edc83de5c147d1bef4eb676d0ff67543
SHA2564f81a7ee4dc2bf2a7179ec01dea866b6bcfd980e527e8fdc817c2f30d490c67a
SHA5127c3ebdbfd368fb2e9794271a8d7bbef0e3753e2186dc6c4ef04d54590250c4a50d1b30ab0068f264b1f8872e99b14e5428a7a46f39343cd8a7f87aa51cbbe487
-
memory/1880-156-0x0000000000000000-mapping.dmp
-
memory/2492-157-0x0000000000000000-mapping.dmp
-
memory/2620-147-0x00000000032F0000-0x00000000033A4000-memory.dmpFilesize
720KB
-
memory/2620-152-0x00000000032F0000-0x00000000033A4000-memory.dmpFilesize
720KB
-
memory/3288-150-0x00000238311C0000-0x0000023831274000-memory.dmpFilesize
720KB
-
memory/3288-148-0x0000000000000000-mapping.dmp
-
memory/3376-161-0x0000000000636B20-0x0000000000636B24-memory.dmpFilesize
4B
-
memory/3376-163-0x0000000001140000-0x00000000011E7000-memory.dmpFilesize
668KB
-
memory/3376-160-0x0000000000000000-mapping.dmp
-
memory/3376-162-0x0000000001140000-0x00000000011E7000-memory.dmpFilesize
668KB
-
memory/3432-153-0x0000022653450000-0x0000022653504000-memory.dmpFilesize
720KB
-
memory/3652-154-0x00000266B7F30000-0x00000266B7FE4000-memory.dmpFilesize
720KB
-
memory/3888-146-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/3888-132-0x0000000000000000-mapping.dmp
-
memory/3888-137-0x0000000000C40000-0x0000000000C8B000-memory.dmpFilesize
300KB
-
memory/3888-136-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/3888-135-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/3888-134-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/3888-133-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/4408-155-0x0000000000000000-mapping.dmp
-
memory/5008-144-0x0000000000000000-mapping.dmp
-
memory/5008-151-0x0000000000B90000-0x0000000000C44000-memory.dmpFilesize
720KB
-
memory/5008-145-0x0000000000B90000-0x0000000000C44000-memory.dmpFilesize
720KB