Analysis
-
max time kernel
595s -
max time network
602s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17-02-2023 00:48
Static task
static1
Behavioral task
behavioral1
Sample
C566B292EB539CF6D1F1D867D4F4972F9D2BC887DF68BAA25A36B5073AE470AD.dll
Resource
win7-20221111-en
General
-
Target
C566B292EB539CF6D1F1D867D4F4972F9D2BC887DF68BAA25A36B5073AE470AD.dll
-
Size
335.1MB
-
MD5
9a5c17e5ffd7716dbe9425513f24f9f3
-
SHA1
4f96536ff5c9904593fd59df06452bc3b85ff8bd
-
SHA256
c566b292eb539cf6d1f1d867d4f4972f9d2bc887df68baa25a36b5073ae470ad
-
SHA512
4e79c9135714a19fc34ba696c7401eecb4505d2b709176a94562d1a36b2da3b18f9048658d9ae4d013292528493b370caa43dd215058cd96fd520b54e7b08b4f
-
SSDEEP
12288:EfJ2dpC+/doJSnFlxGIDWv5EghEug86SbJqLb47v0:aUCudoJsxGIDWv5N0OELb4I
Malware Config
Extracted
gozi
Extracted
gozi
1000
https://merrovalt.top
-
host_keep_time
2
-
host_shift_time
1
-
idle_time
1
-
request_time
10
Signatures
-
Runs net.exe
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
regsvr32.execmd.exenet.exedescription pid process target process PID 1724 wrote to memory of 780 1724 regsvr32.exe cmd.exe PID 1724 wrote to memory of 780 1724 regsvr32.exe cmd.exe PID 1724 wrote to memory of 780 1724 regsvr32.exe cmd.exe PID 780 wrote to memory of 1632 780 cmd.exe net.exe PID 780 wrote to memory of 1632 780 cmd.exe net.exe PID 780 wrote to memory of 1632 780 cmd.exe net.exe PID 1632 wrote to memory of 568 1632 net.exe net1.exe PID 1632 wrote to memory of 568 1632 net.exe net1.exe PID 1632 wrote to memory of 568 1632 net.exe net1.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\C566B292EB539CF6D1F1D867D4F4972F9D2BC887DF68BAA25A36B5073AE470AD.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "net group "domain computers" /domain" >> C:\Users\Admin\AppData\Local\Temp\D218.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet group "domain computers" /domain3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group "domain computers" /domain4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D218.tmpFilesize
78B
MD5aaec14b2de8e2fdaf8427672122af65c
SHA1ca953efad669c93af85b968d747baa544d4465fb
SHA25614c94c44d0eb89a820d96e1791f4b754c87ee778b5f4478289df0fb22e1c3da1
SHA512a5cbad3de5070fdcd6aa7f3f5eda42b69faef44a431cf48e20ca1f4f42c648ee80bd5f1d9b981624ae6b39e2435b4278c9fd1e97491e3b244a2bba7d629021a8
-
memory/568-66-0x0000000000000000-mapping.dmp
-
memory/780-64-0x0000000000000000-mapping.dmp
-
memory/1632-65-0x0000000000000000-mapping.dmp
-
memory/1724-54-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmpFilesize
8KB
-
memory/1724-55-0x0000000180000000-0x0000000180014000-memory.dmpFilesize
80KB
-
memory/1724-59-0x00000000002E0000-0x00000000002F3000-memory.dmpFilesize
76KB