Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-02-2024 14:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
871119561025c22cce7c161a408993fc.dll
Resource
win7-20231215-en
windows7-x64
2 signatures
150 seconds
General
-
Target
871119561025c22cce7c161a408993fc.dll
-
Size
461KB
-
MD5
871119561025c22cce7c161a408993fc
-
SHA1
d253f17e53f52cbe0978fd88861e560db55dbb12
-
SHA256
e33c1276938039d18d6feb813ef494458619f6999374e31f05a2b5a74e012ab6
-
SHA512
fa861cdb73bd57fde9a2a3bf173213a950464e85c9ddbe2bf5e17ba38c8985f631fe41b9bdf6f4279215ef83c3d35f431a3ea50979170d9754a1fe7094f8b88d
-
SSDEEP
12288:mxIkdQI90tC1o4imB/QD3Jv58kEPGxU3aV+2d:5pI90k3imB/Q1mZ73a42
Malware Config
Extracted
Family
gozi
Extracted
Family
gozi
Botnet
1500
C2
gtr.antoinfer.com
app.bighomegl.at
Attributes
-
build
250211
-
exe_type
loader
-
server_id
580
rsa_pubkey.plain
aes.plain
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2312 wrote to memory of 5028 2312 rundll32.exe rundll32.exe PID 2312 wrote to memory of 5028 2312 rundll32.exe rundll32.exe PID 2312 wrote to memory of 5028 2312 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\871119561025c22cce7c161a408993fc.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\871119561025c22cce7c161a408993fc.dll,#12⤵PID:5028
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/5028-0-0x0000000075500000-0x0000000075612000-memory.dmpFilesize
1.1MB
-
memory/5028-1-0x0000000075500000-0x0000000075612000-memory.dmpFilesize
1.1MB
-
memory/5028-2-0x00000000022A0000-0x00000000022A1000-memory.dmpFilesize
4KB
-
memory/5028-3-0x0000000002920000-0x000000000292D000-memory.dmpFilesize
52KB
-
memory/5028-6-0x0000000075500000-0x0000000075612000-memory.dmpFilesize
1.1MB