Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2023 14:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0196aa6b6e09389e94acafba9049fe5f.dll
Resource
win7-20231215-en
5 signatures
150 seconds
General
-
Target
0196aa6b6e09389e94acafba9049fe5f.dll
-
Size
355KB
-
MD5
0196aa6b6e09389e94acafba9049fe5f
-
SHA1
6248bd71cc01f4dd0728bf8536c29aff31adb4ce
-
SHA256
84b16227e05b966470c3624cc9129296d73b96c11c90ff5d02a6aea8ab196b9e
-
SHA512
004683c3bcc190134f6715bef7fc1d788e3b7d02c68f6f51980433078be7c126f382fb2832d2668c23f234f9b6ab0d0e1e2e1d0dca33d9f40803f412f566c81a
-
SSDEEP
6144:BstpyZ+ANKcOVwmBfjdLz5kazt+x1gLY3TGAa7VGpwCu:BstpbA3OOmljdLGeZOGH7Cu
Malware Config
Extracted
Family
gozi
Extracted
Family
gozi
Botnet
1500
C2
gtr.antoinfer.com
app.bighomegl.at
Attributes
-
build
250204
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7D65EF90-A283-11EE-9BE3-D2066D8F1295} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 452 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 452 iexplore.exe 452 iexplore.exe 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exeiexplore.exedescription pid process target process PID 1680 wrote to memory of 4784 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 4784 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 4784 1680 rundll32.exe rundll32.exe PID 452 wrote to memory of 2612 452 iexplore.exe IEXPLORE.EXE PID 452 wrote to memory of 2612 452 iexplore.exe IEXPLORE.EXE PID 452 wrote to memory of 2612 452 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0196aa6b6e09389e94acafba9049fe5f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0196aa6b6e09389e94acafba9049fe5f.dll,#12⤵
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:452 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4784-1-0x0000000075090000-0x0000000075184000-memory.dmpFilesize
976KB
-
memory/4784-2-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/4784-0-0x0000000075090000-0x0000000075184000-memory.dmpFilesize
976KB
-
memory/4784-3-0x0000000075090000-0x0000000075184000-memory.dmpFilesize
976KB
-
memory/4784-4-0x0000000075090000-0x0000000075184000-memory.dmpFilesize
976KB
-
memory/4784-5-0x0000000075090000-0x0000000075184000-memory.dmpFilesize
976KB
-
memory/4784-6-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/4784-8-0x0000000075090000-0x0000000075184000-memory.dmpFilesize
976KB
-
memory/4784-9-0x0000000075090000-0x0000000075184000-memory.dmpFilesize
976KB
-
memory/4784-11-0x0000000000620000-0x000000000062D000-memory.dmpFilesize
52KB
-
memory/4784-14-0x0000000075090000-0x0000000075184000-memory.dmpFilesize
976KB