Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:08
Static task
static1
Behavioral task
behavioral1
Sample
33f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a.dll
Resource
win7-20220812-en
General
-
Target
33f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a.dll
-
Size
1.1MB
-
MD5
a8d1899b7942eecddb5a18b0f6b509df
-
SHA1
342cdb7f538fd2213ad33f673433bafba85c4b4b
-
SHA256
33f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a
-
SHA512
924682746c7185b9852d226f63c5082d023865f0a3c293569eef100f7c60df9f5bcb848a3ae8cf52d7d16f0059c936f725622574190ba89f7654c304a4687068
-
SSDEEP
24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69vTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4c
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://drunt.at
http://news-deck.at
http://taslks.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cfmirces = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Charwork\\clict3ui.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 7 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEdescription pid process target process PID 2472 set thread context of 2920 2472 rundll32.exe control.exe PID 2920 set thread context of 2728 2920 control.exe Explorer.EXE PID 2728 set thread context of 3536 2728 Explorer.EXE RuntimeBroker.exe PID 2728 set thread context of 3804 2728 Explorer.EXE RuntimeBroker.exe PID 2920 set thread context of 3716 2920 control.exe rundll32.exe PID 2728 set thread context of 4708 2728 Explorer.EXE RuntimeBroker.exe PID 2728 set thread context of 2336 2728 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exeExplorer.EXEpid process 2472 rundll32.exe 2472 rundll32.exe 2728 Explorer.EXE 2728 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2728 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEpid process 2472 rundll32.exe 2920 control.exe 2728 Explorer.EXE 2728 Explorer.EXE 2920 control.exe 2728 Explorer.EXE 2728 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Explorer.EXERuntimeBroker.exedescription pid process Token: SeShutdownPrivilege 2728 Explorer.EXE Token: SeCreatePagefilePrivilege 2728 Explorer.EXE Token: SeShutdownPrivilege 2728 Explorer.EXE Token: SeCreatePagefilePrivilege 2728 Explorer.EXE Token: SeShutdownPrivilege 3536 RuntimeBroker.exe Token: SeShutdownPrivilege 3536 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 2728 Explorer.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 2664 wrote to memory of 2472 2664 rundll32.exe rundll32.exe PID 2664 wrote to memory of 2472 2664 rundll32.exe rundll32.exe PID 2664 wrote to memory of 2472 2664 rundll32.exe rundll32.exe PID 2472 wrote to memory of 2920 2472 rundll32.exe control.exe PID 2472 wrote to memory of 2920 2472 rundll32.exe control.exe PID 2472 wrote to memory of 2920 2472 rundll32.exe control.exe PID 2472 wrote to memory of 2920 2472 rundll32.exe control.exe PID 2472 wrote to memory of 2920 2472 rundll32.exe control.exe PID 2920 wrote to memory of 2728 2920 control.exe Explorer.EXE PID 2920 wrote to memory of 2728 2920 control.exe Explorer.EXE PID 2920 wrote to memory of 2728 2920 control.exe Explorer.EXE PID 2728 wrote to memory of 3536 2728 Explorer.EXE RuntimeBroker.exe PID 2728 wrote to memory of 3536 2728 Explorer.EXE RuntimeBroker.exe PID 2728 wrote to memory of 3536 2728 Explorer.EXE RuntimeBroker.exe PID 2728 wrote to memory of 3804 2728 Explorer.EXE RuntimeBroker.exe PID 2920 wrote to memory of 3716 2920 control.exe rundll32.exe PID 2920 wrote to memory of 3716 2920 control.exe rundll32.exe PID 2920 wrote to memory of 3716 2920 control.exe rundll32.exe PID 2728 wrote to memory of 3804 2728 Explorer.EXE RuntimeBroker.exe PID 2728 wrote to memory of 3804 2728 Explorer.EXE RuntimeBroker.exe PID 2728 wrote to memory of 4708 2728 Explorer.EXE RuntimeBroker.exe PID 2920 wrote to memory of 3716 2920 control.exe rundll32.exe PID 2920 wrote to memory of 3716 2920 control.exe rundll32.exe PID 2728 wrote to memory of 4708 2728 Explorer.EXE RuntimeBroker.exe PID 2728 wrote to memory of 4708 2728 Explorer.EXE RuntimeBroker.exe PID 2728 wrote to memory of 4328 2728 Explorer.EXE cmd.exe PID 2728 wrote to memory of 4328 2728 Explorer.EXE cmd.exe PID 4328 wrote to memory of 1416 4328 cmd.exe nslookup.exe PID 4328 wrote to memory of 1416 4328 cmd.exe nslookup.exe PID 2728 wrote to memory of 520 2728 Explorer.EXE cmd.exe PID 2728 wrote to memory of 520 2728 Explorer.EXE cmd.exe PID 2728 wrote to memory of 2336 2728 Explorer.EXE cmd.exe PID 2728 wrote to memory of 2336 2728 Explorer.EXE cmd.exe PID 2728 wrote to memory of 2336 2728 Explorer.EXE cmd.exe PID 2728 wrote to memory of 2336 2728 Explorer.EXE cmd.exe PID 2728 wrote to memory of 2336 2728 Explorer.EXE cmd.exe PID 2728 wrote to memory of 2336 2728 Explorer.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\BDE5.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\BDE5.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BDE5.bi1Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
C:\Users\Admin\AppData\Local\Temp\BDE5.bi1Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Charwork\clict3ui.dllFilesize
1.1MB
MD5a8d1899b7942eecddb5a18b0f6b509df
SHA1342cdb7f538fd2213ad33f673433bafba85c4b4b
SHA25633f956cc16a47c86ec3c06f30da058a87bab41c5b9deab097ae876067d2d5e2a
SHA512924682746c7185b9852d226f63c5082d023865f0a3c293569eef100f7c60df9f5bcb848a3ae8cf52d7d16f0059c936f725622574190ba89f7654c304a4687068
-
memory/520-156-0x0000000000000000-mapping.dmp
-
memory/1416-155-0x0000000000000000-mapping.dmp
-
memory/2336-161-0x0000000001450000-0x00000000014F7000-memory.dmpFilesize
668KB
-
memory/2336-160-0x00000000000C6B20-0x00000000000C6B24-memory.dmpFilesize
4B
-
memory/2336-159-0x0000000000000000-mapping.dmp
-
memory/2472-144-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/2472-132-0x0000000000000000-mapping.dmp
-
memory/2472-133-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/2472-134-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/2472-135-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/2472-136-0x00000000021D0000-0x000000000221B000-memory.dmpFilesize
300KB
-
memory/2728-153-0x0000000003260000-0x0000000003314000-memory.dmpFilesize
720KB
-
memory/2728-147-0x0000000003260000-0x0000000003314000-memory.dmpFilesize
720KB
-
memory/2920-143-0x0000000000000000-mapping.dmp
-
memory/2920-148-0x0000000000FD0000-0x0000000001084000-memory.dmpFilesize
720KB
-
memory/3536-149-0x0000020572E00000-0x0000020572EB4000-memory.dmpFilesize
720KB
-
memory/3716-146-0x0000000000000000-mapping.dmp
-
memory/3716-152-0x0000023DDD860000-0x0000023DDD914000-memory.dmpFilesize
720KB
-
memory/3804-150-0x000001AB28570000-0x000001AB28624000-memory.dmpFilesize
720KB
-
memory/4328-154-0x0000000000000000-mapping.dmp
-
memory/4708-151-0x0000023A75330000-0x0000023A753E4000-memory.dmpFilesize
720KB