Analysis
-
max time kernel
118s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-11-2024 00:16
General
-
Target
8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll
-
Size
672KB
-
MD5
727235afc25234c92c82e99c05a9f0c8
-
SHA1
a200141f482b8d470e0a3c1a7638a74df9987920
-
SHA256
732f00a1a664ca6b7a3b19a4f533a32719c7f1d688e3175e6e5118e7cd829693
-
SHA512
94eda3f5ad431382d51d98af49bb8672d79d7996b6beeb2e9ab7e036b6784a513ca1ebb2b3db35cb591ffd7a667c9605cb0948996bba30253f597955ad377db9
-
SSDEEP
12288:97EFH9MS0eApw2fmB1zNDLRfm4yVjg6AI18R5kQSuOscoujeNR:97EIeewHNIAIiRmQ9ujeNR
Malware Config
Extracted
gozi
Extracted
gozi
1000
http://ey7kuuklgieop2pq.onion
http://shoshanna.at
http://maiamirainy.at
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Gozi family
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 9 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#13⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
-
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\76B.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\76B.bi1"2⤵
-
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
121B
MD558910db4e6beb9df6a7facc8ff9ebd01
SHA14ac7a11682951faa9a2158955ec2887f2b54b7b2
SHA2568da116d5ff7ffd87e9839c748496155d74e6a425028514d324ddcf33ac00570f
SHA512ee5046838fef65364b93468ac35d97a6d1d028d897b8088fee77a88b977177c8d22e463b369a44048a40f2ea2e50f3acc54bcf314571c146a7602b67680260b2
-
Filesize
672KB
MD5727235afc25234c92c82e99c05a9f0c8
SHA1a200141f482b8d470e0a3c1a7638a74df9987920
SHA256732f00a1a664ca6b7a3b19a4f533a32719c7f1d688e3175e6e5118e7cd829693
SHA51294eda3f5ad431382d51d98af49bb8672d79d7996b6beeb2e9ab7e036b6784a513ca1ebb2b3db35cb591ffd7a667c9605cb0948996bba30253f597955ad377db9
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
4KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
4KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
4KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
4KB
-
Filesize
708KB
-
Filesize
9.7MB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
20KB
-
Filesize
9.7MB
-
Filesize
9.7MB
-
Filesize
9.7MB
-
Filesize
9.7MB