Analysis Overview
SHA256
8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7
Threat Level: Known bad
The file 8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N was found to be: Known bad.
Malicious Activity Summary
Gozi family
Gozi
Unexpected DNS network traffic destination
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 12:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 12:43
Reported
2024-11-12 12:45
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
95s
Command Line
Signatures
Gozi
Gozi family
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crypthlp = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Adhaprop\\ddp_past.dll\",DllRegisterServer" | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2848 set thread context of 2272 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\control.exe |
| PID 2272 set thread context of 3476 | N/A | C:\Windows\system32\control.exe | C:\Windows\Explorer.EXE |
| PID 3476 set thread context of 4004 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3476 set thread context of 4204 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3476 set thread context of 3872 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 2272 set thread context of 2256 | N/A | C:\Windows\system32\control.exe | C:\Windows\system32\rundll32.exe |
| PID 3476 set thread context of 592 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3476 set thread context of 940 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3476 set thread context of 1072 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\control.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\control.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#1
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\C225.bi1"
C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\C225.bi1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.200.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 8.8.8.8:53 | shoshanna.at | udp |
| US | 8.8.8.8:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | maiamirainy.at | udp |
Files
memory/2848-3-0x0000000002A80000-0x0000000003431000-memory.dmp
memory/2848-2-0x0000000002B1D000-0x0000000002B22000-memory.dmp
memory/2848-1-0x0000000002A80000-0x0000000003431000-memory.dmp
memory/2848-0-0x0000000002A80000-0x0000000003431000-memory.dmp
memory/2848-4-0x0000000002A80000-0x0000000003431000-memory.dmp
memory/2848-7-0x0000000003480000-0x00000000034CA000-memory.dmp
memory/2848-14-0x0000000003480000-0x00000000034CA000-memory.dmp
memory/2272-17-0x0000000000830000-0x00000000008E1000-memory.dmp
memory/2272-22-0x0000000000830000-0x00000000008E1000-memory.dmp
memory/2272-21-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/2848-25-0x0000000002A80000-0x0000000003431000-memory.dmp
memory/3476-29-0x0000000002EC0000-0x0000000002F71000-memory.dmp
memory/3476-41-0x0000000002EC0000-0x0000000002F71000-memory.dmp
memory/3476-39-0x0000000002EC0000-0x0000000002F71000-memory.dmp
memory/3476-38-0x0000000002EC0000-0x0000000002F71000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Adhaprop\ddp_past.dll
| MD5 | 281ab1908c42955077a6ae9434c404a0 |
| SHA1 | d3dba9abdce5630188d8c51886e889305a698607 |
| SHA256 | 8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7 |
| SHA512 | 212d88553d5b92b278aa96f9cf7fd523ad1a95f7729bdf7e260ec321d8165bb0b110bd0ecb1af8ed896ee2f05b491077bdca8703c0c0524ff650914609852d99 |
memory/3476-36-0x0000000002EC0000-0x0000000002F71000-memory.dmp
memory/3476-34-0x0000000002EC0000-0x0000000002F71000-memory.dmp
memory/3476-33-0x0000000002EC0000-0x0000000002F71000-memory.dmp
memory/3476-32-0x0000000000D50000-0x0000000000D51000-memory.dmp
memory/3476-35-0x0000000002EC0000-0x0000000002F71000-memory.dmp
memory/2272-26-0x0000000000830000-0x00000000008E1000-memory.dmp
memory/4004-42-0x00000231B26F0000-0x00000231B27A1000-memory.dmp
memory/4004-48-0x00000231B26F0000-0x00000231B27A1000-memory.dmp
memory/4004-47-0x00000231B27B0000-0x00000231B27B1000-memory.dmp
memory/4204-49-0x0000019488010000-0x00000194880C1000-memory.dmp
memory/4204-55-0x0000019488010000-0x00000194880C1000-memory.dmp
memory/4204-54-0x0000019487650000-0x0000019487651000-memory.dmp
memory/3872-56-0x000001CAA5230000-0x000001CAA52E1000-memory.dmp
memory/3872-60-0x000001CAA5230000-0x000001CAA52E1000-memory.dmp
memory/592-62-0x000001B5402E0000-0x000001B540391000-memory.dmp
memory/2256-67-0x000001F194030000-0x000001F1940E1000-memory.dmp
memory/2256-71-0x000001F194030000-0x000001F1940E1000-memory.dmp
memory/940-74-0x00000197B2E40000-0x00000197B2EF1000-memory.dmp
memory/2272-81-0x0000000000830000-0x00000000008E1000-memory.dmp
memory/3476-73-0x0000000002EC0000-0x0000000002F71000-memory.dmp
memory/2256-72-0x000001F194030000-0x000001F1940E1000-memory.dmp
memory/592-66-0x000001B5402E0000-0x000001B540391000-memory.dmp
memory/3476-82-0x0000000002EC0000-0x0000000002F71000-memory.dmp
memory/940-78-0x00000197B2E40000-0x00000197B2EF1000-memory.dmp
memory/4004-83-0x00000231B26F0000-0x00000231B27A1000-memory.dmp
memory/592-84-0x000001B5402E0000-0x000001B540391000-memory.dmp
memory/4204-86-0x0000019488010000-0x00000194880C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C225.bi1
| MD5 | 58910db4e6beb9df6a7facc8ff9ebd01 |
| SHA1 | 4ac7a11682951faa9a2158955ec2887f2b54b7b2 |
| SHA256 | 8da116d5ff7ffd87e9839c748496155d74e6a425028514d324ddcf33ac00570f |
| SHA512 | ee5046838fef65364b93468ac35d97a6d1d028d897b8088fee77a88b977177c8d22e463b369a44048a40f2ea2e50f3acc54bcf314571c146a7602b67680260b2 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 12:43
Reported
2024-11-12 12:45
Platform
win7-20240708-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
Gozi
Gozi family
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Authtdll = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Apilxapi\\dfdtxva2.dll\",DllRegisterServer" | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2860 set thread context of 2740 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\control.exe |
| PID 2740 set thread context of 1196 | N/A | C:\Windows\system32\control.exe | C:\Windows\Explorer.EXE |
| PID 2740 set thread context of 2636 | N/A | C:\Windows\system32\control.exe | C:\Windows\system32\rundll32.exe |
| PID 1196 set thread context of 1976 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\control.exe | N/A |
| N/A | N/A | C:\Windows\system32\control.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7N.dll,#1
C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\1BE0.bi1"
C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1BE0.bi1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.200.14:80 | google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 8.8.8.8:53 | shoshanna.at | udp |
| US | 8.8.8.8:53 | maiamirainy.at | udp |
Files
memory/2860-0-0x0000000001FB0000-0x0000000002961000-memory.dmp
memory/2860-3-0x0000000001FB0000-0x0000000002961000-memory.dmp
memory/2860-1-0x0000000001FB0000-0x0000000002961000-memory.dmp
memory/2860-2-0x000000000204D000-0x0000000002052000-memory.dmp
memory/2860-12-0x00000000002C0000-0x000000000030A000-memory.dmp
memory/2860-5-0x00000000002C0000-0x000000000030A000-memory.dmp
memory/2740-15-0x0000000001AE0000-0x0000000001B91000-memory.dmp
memory/2740-14-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp
memory/2860-20-0x0000000001FB0000-0x0000000002961000-memory.dmp
memory/2740-22-0x0000000001AE0000-0x0000000001B91000-memory.dmp
memory/2740-21-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1196-36-0x0000000005170000-0x0000000005221000-memory.dmp
memory/1196-35-0x0000000005170000-0x0000000005221000-memory.dmp
memory/1196-39-0x0000000005170000-0x0000000005221000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Apilxapi\dfdtxva2.dll
| MD5 | 281ab1908c42955077a6ae9434c404a0 |
| SHA1 | d3dba9abdce5630188d8c51886e889305a698607 |
| SHA256 | 8860a9bed353619eaf28f28eea95f3cfdefbb6eb25f2a557966703cf74678de7 |
| SHA512 | 212d88553d5b92b278aa96f9cf7fd523ad1a95f7729bdf7e260ec321d8165bb0b110bd0ecb1af8ed896ee2f05b491077bdca8703c0c0524ff650914609852d99 |
memory/1196-34-0x0000000005170000-0x0000000005221000-memory.dmp
memory/1196-33-0x0000000005170000-0x0000000005221000-memory.dmp
memory/1196-32-0x0000000005170000-0x0000000005221000-memory.dmp
memory/1196-31-0x0000000005170000-0x0000000005221000-memory.dmp
memory/1196-29-0x0000000005170000-0x0000000005221000-memory.dmp
memory/2740-28-0x0000000001AE0000-0x0000000001B91000-memory.dmp
memory/1196-27-0x00000000024C0000-0x00000000024C1000-memory.dmp
memory/1196-23-0x0000000005170000-0x0000000005221000-memory.dmp
memory/2636-40-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
memory/2636-41-0x0000000001E30000-0x0000000001EE1000-memory.dmp
memory/1196-46-0x0000000005170000-0x0000000005221000-memory.dmp
memory/2636-47-0x0000000001E30000-0x0000000001EE1000-memory.dmp
memory/2740-50-0x0000000001AE0000-0x0000000001B91000-memory.dmp
memory/2636-45-0x0000000001E30000-0x0000000001EE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1BE0.bi1
| MD5 | 469534e44d6489436c26d5e0d473ae1e |
| SHA1 | 539f7ae0225c588fd2a60ee4ed036c568e2e8333 |
| SHA256 | 66d8bb9e94e6ee72da81b36efe59cfbb3db29170fc39cd2b43a39e5eb5087ce5 |
| SHA512 | 9d885af2c1a9800b5bedb4ea85559005c512db1831d5de2d3be438ad6a56099de211cd7ff0432a76c7044ba3b83389ab58bfd6c72e6b3f42452f3a82c1fde3bd |
C:\Users\Admin\AppData\Local\Temp\1BE0.bi1
| MD5 | 58910db4e6beb9df6a7facc8ff9ebd01 |
| SHA1 | 4ac7a11682951faa9a2158955ec2887f2b54b7b2 |
| SHA256 | 8da116d5ff7ffd87e9839c748496155d74e6a425028514d324ddcf33ac00570f |
| SHA512 | ee5046838fef65364b93468ac35d97a6d1d028d897b8088fee77a88b977177c8d22e463b369a44048a40f2ea2e50f3acc54bcf314571c146a7602b67680260b2 |
memory/1196-55-0x0000000005170000-0x0000000005221000-memory.dmp
memory/1196-59-0x0000000005170000-0x0000000005221000-memory.dmp
memory/1976-56-0x00000000001F0000-0x0000000000294000-memory.dmp
memory/1196-61-0x0000000005170000-0x0000000005221000-memory.dmp
memory/1196-62-0x0000000005170000-0x0000000005221000-memory.dmp