Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 21:08
Static task
static1
Behavioral task
behavioral1
Sample
31d73b34c44fc4f61e583e3a19e34753d5271de557a5f5a818899f506afc8f99.dll
Resource
win7-20221111-en
General
-
Target
31d73b34c44fc4f61e583e3a19e34753d5271de557a5f5a818899f506afc8f99.dll
-
Size
1.1MB
-
MD5
b602deeb32f8f26326ea16cc78029602
-
SHA1
bad2ea797b9f5b4479f4fe189d6daab35a9a28e9
-
SHA256
31d73b34c44fc4f61e583e3a19e34753d5271de557a5f5a818899f506afc8f99
-
SHA512
90350ba7401f97eea7b990d4d80be25f2fe9233002e6a83efb0fd9f6d04eefca123ed1eb8b5ce8403e762b7f630a1ac3c04a6be8db273850b87d9dbc58b6fcb4
-
SSDEEP
24576:i30ixqmP/+GZgTXrHJB+pffKUmHaRLNW0wfpKncbBWZtxjB/s69ZTGxUcbrJOBPO:i30ixj/aTXrH7+pHKUmHeLNW0wBKnc4a
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://drunt.at
http://news-deck.at
http://taslks.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dhcptCSP = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Adsnuery\\altsCore.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 7 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEdescription pid process target process PID 536 set thread context of 4864 536 rundll32.exe control.exe PID 4864 set thread context of 1012 4864 control.exe Explorer.EXE PID 4864 set thread context of 5084 4864 control.exe rundll32.exe PID 1012 set thread context of 3472 1012 Explorer.EXE RuntimeBroker.exe PID 1012 set thread context of 3816 1012 Explorer.EXE RuntimeBroker.exe PID 1012 set thread context of 5076 1012 Explorer.EXE RuntimeBroker.exe PID 1012 set thread context of 4704 1012 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exeExplorer.EXEpid process 536 rundll32.exe 536 rundll32.exe 1012 Explorer.EXE 1012 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1012 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
rundll32.execontrol.exeExplorer.EXEpid process 536 rundll32.exe 4864 control.exe 4864 control.exe 1012 Explorer.EXE 1012 Explorer.EXE 1012 Explorer.EXE 1012 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Explorer.EXERuntimeBroker.exedescription pid process Token: SeShutdownPrivilege 1012 Explorer.EXE Token: SeCreatePagefilePrivilege 1012 Explorer.EXE Token: SeShutdownPrivilege 1012 Explorer.EXE Token: SeCreatePagefilePrivilege 1012 Explorer.EXE Token: SeShutdownPrivilege 3472 RuntimeBroker.exe Token: SeShutdownPrivilege 3472 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1012 Explorer.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
rundll32.exerundll32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 3624 wrote to memory of 536 3624 rundll32.exe rundll32.exe PID 3624 wrote to memory of 536 3624 rundll32.exe rundll32.exe PID 3624 wrote to memory of 536 3624 rundll32.exe rundll32.exe PID 536 wrote to memory of 4864 536 rundll32.exe control.exe PID 536 wrote to memory of 4864 536 rundll32.exe control.exe PID 536 wrote to memory of 4864 536 rundll32.exe control.exe PID 536 wrote to memory of 4864 536 rundll32.exe control.exe PID 536 wrote to memory of 4864 536 rundll32.exe control.exe PID 4864 wrote to memory of 1012 4864 control.exe Explorer.EXE PID 4864 wrote to memory of 1012 4864 control.exe Explorer.EXE PID 4864 wrote to memory of 1012 4864 control.exe Explorer.EXE PID 4864 wrote to memory of 5084 4864 control.exe rundll32.exe PID 4864 wrote to memory of 5084 4864 control.exe rundll32.exe PID 4864 wrote to memory of 5084 4864 control.exe rundll32.exe PID 4864 wrote to memory of 5084 4864 control.exe rundll32.exe PID 4864 wrote to memory of 5084 4864 control.exe rundll32.exe PID 1012 wrote to memory of 3472 1012 Explorer.EXE RuntimeBroker.exe PID 1012 wrote to memory of 3472 1012 Explorer.EXE RuntimeBroker.exe PID 1012 wrote to memory of 3472 1012 Explorer.EXE RuntimeBroker.exe PID 1012 wrote to memory of 3816 1012 Explorer.EXE RuntimeBroker.exe PID 1012 wrote to memory of 3816 1012 Explorer.EXE RuntimeBroker.exe PID 1012 wrote to memory of 3816 1012 Explorer.EXE RuntimeBroker.exe PID 1012 wrote to memory of 5076 1012 Explorer.EXE RuntimeBroker.exe PID 1012 wrote to memory of 5076 1012 Explorer.EXE RuntimeBroker.exe PID 1012 wrote to memory of 5076 1012 Explorer.EXE RuntimeBroker.exe PID 1012 wrote to memory of 1460 1012 Explorer.EXE cmd.exe PID 1012 wrote to memory of 1460 1012 Explorer.EXE cmd.exe PID 1460 wrote to memory of 728 1460 cmd.exe nslookup.exe PID 1460 wrote to memory of 728 1460 cmd.exe nslookup.exe PID 1012 wrote to memory of 480 1012 Explorer.EXE cmd.exe PID 1012 wrote to memory of 480 1012 Explorer.EXE cmd.exe PID 1012 wrote to memory of 4704 1012 Explorer.EXE cmd.exe PID 1012 wrote to memory of 4704 1012 Explorer.EXE cmd.exe PID 1012 wrote to memory of 4704 1012 Explorer.EXE cmd.exe PID 1012 wrote to memory of 4704 1012 Explorer.EXE cmd.exe PID 1012 wrote to memory of 4704 1012 Explorer.EXE cmd.exe PID 1012 wrote to memory of 4704 1012 Explorer.EXE cmd.exe
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\31d73b34c44fc4f61e583e3a19e34753d5271de557a5f5a818899f506afc8f99.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\31d73b34c44fc4f61e583e3a19e34753d5271de557a5f5a818899f506afc8f99.dll,#13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\C3E1.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C3E1.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C3E1.bi1Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
C:\Users\Admin\AppData\Local\Temp\C3E1.bi1Filesize
118B
MD541a49d1a2a3a8713a12ccf89932d4bb7
SHA1b324e8bbcd4ca71a35d0c00ac63c0255e8ec4287
SHA256f210a8e30967b13dabe340c45ce4a97e9c94ad74975728eccdd0a27edf29b5fe
SHA5121fc256f2068eb9ac32c04bad119e94ba006808fd2be48db397eecf69acd6d8972334f81f8439d6e153a9cb99db618a613f3b0adf2b5784c264b61d4d5c0669b1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Adsnuery\altsCore.dllFilesize
1.1MB
MD5b602deeb32f8f26326ea16cc78029602
SHA1bad2ea797b9f5b4479f4fe189d6daab35a9a28e9
SHA25631d73b34c44fc4f61e583e3a19e34753d5271de557a5f5a818899f506afc8f99
SHA51290350ba7401f97eea7b990d4d80be25f2fe9233002e6a83efb0fd9f6d04eefca123ed1eb8b5ce8403e762b7f630a1ac3c04a6be8db273850b87d9dbc58b6fcb4
-
memory/480-157-0x0000000000000000-mapping.dmp
-
memory/536-142-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/536-132-0x0000000000000000-mapping.dmp
-
memory/536-145-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/536-135-0x0000000000A80000-0x0000000000ACB000-memory.dmpFilesize
300KB
-
memory/536-134-0x0000000010000000-0x0000000010A16000-memory.dmpFilesize
10.1MB
-
memory/536-133-0x0000000010000000-0x000000001004D000-memory.dmpFilesize
308KB
-
memory/728-156-0x0000000000000000-mapping.dmp
-
memory/1012-154-0x0000000002B00000-0x0000000002BB4000-memory.dmpFilesize
720KB
-
memory/1012-148-0x0000000002B00000-0x0000000002BB4000-memory.dmpFilesize
720KB
-
memory/1460-155-0x0000000000000000-mapping.dmp
-
memory/3472-151-0x000002E006800000-0x000002E0068B4000-memory.dmpFilesize
720KB
-
memory/3816-152-0x0000020554C30000-0x0000020554CE4000-memory.dmpFilesize
720KB
-
memory/4704-161-0x0000000000236B20-0x0000000000236B24-memory.dmpFilesize
4B
-
memory/4704-160-0x0000000000000000-mapping.dmp
-
memory/4704-162-0x0000000000F90000-0x0000000001037000-memory.dmpFilesize
668KB
-
memory/4864-144-0x0000000000910000-0x00000000009C4000-memory.dmpFilesize
720KB
-
memory/4864-150-0x0000000000910000-0x00000000009C4000-memory.dmpFilesize
720KB
-
memory/4864-143-0x0000000000000000-mapping.dmp
-
memory/5076-153-0x000001B00E240000-0x000001B00E2F4000-memory.dmpFilesize
720KB
-
memory/5084-149-0x000001D9AB6F0000-0x000001D9AB7A4000-memory.dmpFilesize
720KB
-
memory/5084-146-0x0000000000000000-mapping.dmp