Analysis
-
max time kernel
157s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:08
Static task
static1
Behavioral task
behavioral1
Sample
2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345.dll
Resource
win7-20220901-en
General
-
Target
2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345.dll
-
Size
1.1MB
-
MD5
6b4640270bfa9629a0d6eba806873cc5
-
SHA1
8a8304f960b8e5c6f6e779d9b686d7faddddb764
-
SHA256
2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345
-
SHA512
6ca002b90a62dbd2da1ed8b44e1d55973ccf14470c3ed31b4e60db7b13fe11f6a705ca00cf2cfac0de34e9b2634996996a41c2b90cc2cca4c6de881c2a400805
-
SSDEEP
24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69tTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4+
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://drunt.at
http://news-deck.at
http://taslks.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BamSider = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\C_IStprf\\bthsprop.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 6 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEdescription pid process target process PID 3376 set thread context of 5072 3376 rundll32.exe control.exe PID 5072 set thread context of 3008 5072 control.exe Explorer.EXE PID 3008 set thread context of 3392 3008 Explorer.EXE RuntimeBroker.exe PID 3008 set thread context of 3644 3008 Explorer.EXE RuntimeBroker.exe PID 5072 set thread context of 2056 5072 control.exe rundll32.exe PID 3008 set thread context of 3020 3008 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exeExplorer.EXEpid process 3376 rundll32.exe 3376 rundll32.exe 3008 Explorer.EXE 3008 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEpid process 3376 rundll32.exe 5072 control.exe 3008 Explorer.EXE 3008 Explorer.EXE 5072 control.exe 3008 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Explorer.EXERuntimeBroker.exedescription pid process Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3008 Explorer.EXE Token: SeCreatePagefilePrivilege 3008 Explorer.EXE Token: SeShutdownPrivilege 3392 RuntimeBroker.exe Token: SeShutdownPrivilege 3392 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 3684 wrote to memory of 3376 3684 rundll32.exe rundll32.exe PID 3684 wrote to memory of 3376 3684 rundll32.exe rundll32.exe PID 3684 wrote to memory of 3376 3684 rundll32.exe rundll32.exe PID 3376 wrote to memory of 5072 3376 rundll32.exe control.exe PID 3376 wrote to memory of 5072 3376 rundll32.exe control.exe PID 3376 wrote to memory of 5072 3376 rundll32.exe control.exe PID 3376 wrote to memory of 5072 3376 rundll32.exe control.exe PID 3376 wrote to memory of 5072 3376 rundll32.exe control.exe PID 5072 wrote to memory of 3008 5072 control.exe Explorer.EXE PID 5072 wrote to memory of 3008 5072 control.exe Explorer.EXE PID 5072 wrote to memory of 3008 5072 control.exe Explorer.EXE PID 3008 wrote to memory of 3392 3008 Explorer.EXE RuntimeBroker.exe PID 3008 wrote to memory of 3392 3008 Explorer.EXE RuntimeBroker.exe PID 3008 wrote to memory of 3392 3008 Explorer.EXE RuntimeBroker.exe PID 3008 wrote to memory of 3644 3008 Explorer.EXE RuntimeBroker.exe PID 5072 wrote to memory of 2056 5072 control.exe rundll32.exe PID 5072 wrote to memory of 2056 5072 control.exe rundll32.exe PID 5072 wrote to memory of 2056 5072 control.exe rundll32.exe PID 3008 wrote to memory of 3644 3008 Explorer.EXE RuntimeBroker.exe PID 3008 wrote to memory of 3644 3008 Explorer.EXE RuntimeBroker.exe PID 5072 wrote to memory of 2056 5072 control.exe rundll32.exe PID 5072 wrote to memory of 2056 5072 control.exe rundll32.exe PID 3008 wrote to memory of 2320 3008 Explorer.EXE cmd.exe PID 3008 wrote to memory of 2320 3008 Explorer.EXE cmd.exe PID 2320 wrote to memory of 4648 2320 cmd.exe nslookup.exe PID 2320 wrote to memory of 4648 2320 cmd.exe nslookup.exe PID 3008 wrote to memory of 3700 3008 Explorer.EXE cmd.exe PID 3008 wrote to memory of 3700 3008 Explorer.EXE cmd.exe PID 3008 wrote to memory of 3020 3008 Explorer.EXE cmd.exe PID 3008 wrote to memory of 3020 3008 Explorer.EXE cmd.exe PID 3008 wrote to memory of 3020 3008 Explorer.EXE cmd.exe PID 3008 wrote to memory of 3020 3008 Explorer.EXE cmd.exe PID 3008 wrote to memory of 3020 3008 Explorer.EXE cmd.exe PID 3008 wrote to memory of 3020 3008 Explorer.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\3E17.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3E17.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3E17.bi1Filesize
107B
MD582f12896705faeb1630b62f16d5f5cc8
SHA19ed376a84dd777c28d4510cd747da4fbbc2ff63b
SHA256caccfc569992c55c1e532dd816a6e1846281397127c61e3403294d527780a35e
SHA512e1f04928aea8e710cd34fd6a0580ad9fe2f045485574b1ba4e4e7db376cffd9dacbc15e51f54cb247a85985739b0d70b9e783c1e573ceb8785fc0662be35c379
-
C:\Users\Admin\AppData\Local\Temp\3E17.bi1Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\C_IStprf\bthsprop.dllFilesize
1.1MB
MD56b4640270bfa9629a0d6eba806873cc5
SHA18a8304f960b8e5c6f6e779d9b686d7faddddb764
SHA2562208c35df300eee92ed44119eef73d0462a8b556aa9d2e235503d718b5961345
SHA5126ca002b90a62dbd2da1ed8b44e1d55973ccf14470c3ed31b4e60db7b13fe11f6a705ca00cf2cfac0de34e9b2634996996a41c2b90cc2cca4c6de881c2a400805
-
memory/2056-148-0x0000023D7C450000-0x0000023D7C504000-memory.dmpFilesize
720KB
-
memory/2056-147-0x0000000000000000-mapping.dmp
-
memory/2320-153-0x0000000000000000-mapping.dmp
-
memory/3008-150-0x0000000002730000-0x00000000027E4000-memory.dmpFilesize
720KB
-
memory/3020-160-0x00000000017E0000-0x0000000001887000-memory.dmpFilesize
668KB
-
memory/3020-159-0x0000000000046B20-0x0000000000046B24-memory.dmpFilesize
4B
-
memory/3020-158-0x0000000000000000-mapping.dmp
-
memory/3376-134-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/3376-135-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/3376-132-0x0000000000000000-mapping.dmp
-
memory/3376-144-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/3376-133-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/3376-136-0x0000000002550000-0x000000000259B000-memory.dmpFilesize
300KB
-
memory/3392-151-0x0000019522100000-0x00000195221B4000-memory.dmpFilesize
720KB
-
memory/3644-152-0x0000013FEE930000-0x0000013FEE9E4000-memory.dmpFilesize
720KB
-
memory/3700-155-0x0000000000000000-mapping.dmp
-
memory/4648-154-0x0000000000000000-mapping.dmp
-
memory/5072-149-0x0000000000510000-0x00000000005C4000-memory.dmpFilesize
720KB
-
memory/5072-143-0x0000000000000000-mapping.dmp
-
memory/5072-145-0x0000000000510000-0x00000000005C4000-memory.dmpFilesize
720KB