Analysis
-
max time kernel
70s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08/03/2023, 16:15
Static task
static1
Behavioral task
behavioral1
Sample
63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll
Resource
win7-20230220-en
General
-
Target
63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll
-
Size
300.5MB
-
MD5
0082d20d486a996d5b1e66fb3969e5aa
-
SHA1
a29889727a688b9c69427c8f435063a26a273318
-
SHA256
63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e
-
SHA512
d1c57eade5fb5246c2e5c6a24bcc603ba22316bf36c463c7b633a708a4d59cedb9b02fbdba59cf7422b1e98ee12caa4f041cb5c4bb89559ca8c6ec18d09b3b81
-
SSDEEP
6144:hXkx0TogdFNOXDSGPM7O4TpH7kBFdyZwaLY+em1Sjy2AB41D9UoHUj:hXkmoDTSp73TCEFLY1pdL1D9/0j
Malware Config
Extracted
gozi
Extracted
gozi
20007
trackingg-protectioon.cdn4.mozilla.net
185.158.250.165
protectioon.cdn4.mozilla.net
194.76.224.102
185.189.151.14
-
base_path
/fonts/
-
build
250255
-
exe_type
loader
-
extension
.bak
-
server_id
50
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2012 2020 rundll32.exe 28 PID 2020 wrote to memory of 2012 2020 rundll32.exe 28 PID 2020 wrote to memory of 2012 2020 rundll32.exe 28 PID 2020 wrote to memory of 2012 2020 rundll32.exe 28 PID 2020 wrote to memory of 2012 2020 rundll32.exe 28 PID 2020 wrote to memory of 2012 2020 rundll32.exe 28 PID 2020 wrote to memory of 2012 2020 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll,#12⤵PID:2012
-