Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:08
Static task
static1
Behavioral task
behavioral1
Sample
3472bce1e2a03730287a029d6ab2aa729b9b8f114cac43989272094af26ef404.dll
Resource
win7-20221111-en
General
-
Target
3472bce1e2a03730287a029d6ab2aa729b9b8f114cac43989272094af26ef404.dll
-
Size
1.1MB
-
MD5
9ebb3e24459bd86f749f01523fae652d
-
SHA1
cc8d16513038fb2b43798571f5c2591ee91f097e
-
SHA256
3472bce1e2a03730287a029d6ab2aa729b9b8f114cac43989272094af26ef404
-
SHA512
f013bbad5bc4ee88a83dd98421d22ad58d55fa03cef4833471867daaf0059716c2feca4909530f0829c2f7c180d2524ef5053567f146724426049473660ff677
-
SSDEEP
24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69wTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4z
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://drunt.at
http://news-deck.at
http://taslks.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DdcCutil = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Browscli\\Compound.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 7 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEdescription pid process target process PID 4896 set thread context of 688 4896 rundll32.exe control.exe PID 688 set thread context of 2056 688 control.exe Explorer.EXE PID 2056 set thread context of 3436 2056 Explorer.EXE RuntimeBroker.exe PID 2056 set thread context of 3636 2056 Explorer.EXE RuntimeBroker.exe PID 688 set thread context of 2028 688 control.exe rundll32.exe PID 2056 set thread context of 4696 2056 Explorer.EXE RuntimeBroker.exe PID 2056 set thread context of 4300 2056 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exeExplorer.EXEpid process 4896 rundll32.exe 4896 rundll32.exe 2056 Explorer.EXE 2056 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEpid process 4896 rundll32.exe 688 control.exe 2056 Explorer.EXE 2056 Explorer.EXE 688 control.exe 2056 Explorer.EXE 2056 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE Token: SeShutdownPrivilege 2056 Explorer.EXE Token: SeCreatePagefilePrivilege 2056 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 2056 Explorer.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 3284 wrote to memory of 4896 3284 rundll32.exe rundll32.exe PID 3284 wrote to memory of 4896 3284 rundll32.exe rundll32.exe PID 3284 wrote to memory of 4896 3284 rundll32.exe rundll32.exe PID 4896 wrote to memory of 688 4896 rundll32.exe control.exe PID 4896 wrote to memory of 688 4896 rundll32.exe control.exe PID 4896 wrote to memory of 688 4896 rundll32.exe control.exe PID 4896 wrote to memory of 688 4896 rundll32.exe control.exe PID 4896 wrote to memory of 688 4896 rundll32.exe control.exe PID 688 wrote to memory of 2056 688 control.exe Explorer.EXE PID 688 wrote to memory of 2056 688 control.exe Explorer.EXE PID 688 wrote to memory of 2056 688 control.exe Explorer.EXE PID 2056 wrote to memory of 3436 2056 Explorer.EXE RuntimeBroker.exe PID 688 wrote to memory of 2028 688 control.exe rundll32.exe PID 688 wrote to memory of 2028 688 control.exe rundll32.exe PID 688 wrote to memory of 2028 688 control.exe rundll32.exe PID 2056 wrote to memory of 3436 2056 Explorer.EXE RuntimeBroker.exe PID 2056 wrote to memory of 3436 2056 Explorer.EXE RuntimeBroker.exe PID 2056 wrote to memory of 3636 2056 Explorer.EXE RuntimeBroker.exe PID 2056 wrote to memory of 3636 2056 Explorer.EXE RuntimeBroker.exe PID 2056 wrote to memory of 3636 2056 Explorer.EXE RuntimeBroker.exe PID 2056 wrote to memory of 4696 2056 Explorer.EXE RuntimeBroker.exe PID 688 wrote to memory of 2028 688 control.exe rundll32.exe PID 688 wrote to memory of 2028 688 control.exe rundll32.exe PID 2056 wrote to memory of 4696 2056 Explorer.EXE RuntimeBroker.exe PID 2056 wrote to memory of 4696 2056 Explorer.EXE RuntimeBroker.exe PID 2056 wrote to memory of 1372 2056 Explorer.EXE cmd.exe PID 2056 wrote to memory of 1372 2056 Explorer.EXE cmd.exe PID 1372 wrote to memory of 3768 1372 cmd.exe nslookup.exe PID 1372 wrote to memory of 3768 1372 cmd.exe nslookup.exe PID 2056 wrote to memory of 1948 2056 Explorer.EXE cmd.exe PID 2056 wrote to memory of 1948 2056 Explorer.EXE cmd.exe PID 2056 wrote to memory of 4300 2056 Explorer.EXE cmd.exe PID 2056 wrote to memory of 4300 2056 Explorer.EXE cmd.exe PID 2056 wrote to memory of 4300 2056 Explorer.EXE cmd.exe PID 2056 wrote to memory of 4300 2056 Explorer.EXE cmd.exe PID 2056 wrote to memory of 4300 2056 Explorer.EXE cmd.exe PID 2056 wrote to memory of 4300 2056 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3472bce1e2a03730287a029d6ab2aa729b9b8f114cac43989272094af26ef404.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3472bce1e2a03730287a029d6ab2aa729b9b8f114cac43989272094af26ef404.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?4⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\1444.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1444.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1444.bi1Filesize
118B
MD54f6429322fdfd711b81d8824b25fcd9c
SHA1f7f917b64dd43b620bacd21f134d430d3c406aec
SHA256d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8
SHA512e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816
-
C:\Users\Admin\AppData\Local\Temp\1444.bi1Filesize
118B
MD54f6429322fdfd711b81d8824b25fcd9c
SHA1f7f917b64dd43b620bacd21f134d430d3c406aec
SHA256d22c844d015c874bbdbeb12b73ef54585cbd435c28f50d536fb4ace26d859ed8
SHA512e661f8d79b031a4a043a388ec17d82b5092859ac1d0ce6668a082feecf1da5665837ad1ef984751c7be174bbb6c1012f45d9f550d5cf65dc8b0e6cddcbdb0816
-
C:\Users\Admin\AppData\Roaming\Microsoft\Browscli\Compound.dllFilesize
1.1MB
MD59ebb3e24459bd86f749f01523fae652d
SHA1cc8d16513038fb2b43798571f5c2591ee91f097e
SHA2563472bce1e2a03730287a029d6ab2aa729b9b8f114cac43989272094af26ef404
SHA512f013bbad5bc4ee88a83dd98421d22ad58d55fa03cef4833471867daaf0059716c2feca4909530f0829c2f7c180d2524ef5053567f146724426049473660ff677
-
memory/688-143-0x0000000000000000-mapping.dmp
-
memory/688-147-0x0000000000C40000-0x0000000000CF4000-memory.dmpFilesize
720KB
-
memory/1372-153-0x0000000000000000-mapping.dmp
-
memory/1948-155-0x0000000000000000-mapping.dmp
-
memory/2028-148-0x00000227114A0000-0x0000022711554000-memory.dmpFilesize
720KB
-
memory/2028-146-0x0000000000000000-mapping.dmp
-
memory/2056-162-0x0000000002AC0000-0x0000000002AD0000-memory.dmpFilesize
64KB
-
memory/2056-161-0x0000000002460000-0x0000000002470000-memory.dmpFilesize
64KB
-
memory/2056-149-0x0000000002D00000-0x0000000002DB4000-memory.dmpFilesize
720KB
-
memory/2056-169-0x00000000023A0000-0x00000000023B0000-memory.dmpFilesize
64KB
-
memory/2056-168-0x0000000002460000-0x0000000002470000-memory.dmpFilesize
64KB
-
memory/2056-167-0x0000000002AC0000-0x0000000002AD0000-memory.dmpFilesize
64KB
-
memory/2056-166-0x0000000002AC0000-0x0000000002AD0000-memory.dmpFilesize
64KB
-
memory/2056-165-0x0000000002AC0000-0x0000000002AD0000-memory.dmpFilesize
64KB
-
memory/2056-164-0x0000000002AC0000-0x0000000002AD0000-memory.dmpFilesize
64KB
-
memory/2056-163-0x0000000002AC0000-0x0000000002AD0000-memory.dmpFilesize
64KB
-
memory/3436-150-0x0000026112A90000-0x0000026112B44000-memory.dmpFilesize
720KB
-
memory/3636-151-0x000001FFD7CC0000-0x000001FFD7D74000-memory.dmpFilesize
720KB
-
memory/3768-154-0x0000000000000000-mapping.dmp
-
memory/4300-158-0x0000000000000000-mapping.dmp
-
memory/4300-160-0x0000000000F30000-0x0000000000FD7000-memory.dmpFilesize
668KB
-
memory/4300-159-0x0000000000EE6B20-0x0000000000EE6B24-memory.dmpFilesize
4B
-
memory/4696-152-0x000001E3D7080000-0x000001E3D7134000-memory.dmpFilesize
720KB
-
memory/4896-132-0x0000000000000000-mapping.dmp
-
memory/4896-144-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/4896-133-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/4896-134-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/4896-135-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/4896-136-0x0000000002A30000-0x0000000002A7B000-memory.dmpFilesize
300KB