Malware Analysis Report

2025-01-23 12:51

Sample ID 241221-v5xz2svler
Target d8f3fedde975e393530b694eee1ef9c981b48bc46b4e24749c20189a6fa58e79
SHA256 d8f3fedde975e393530b694eee1ef9c981b48bc46b4e24749c20189a6fa58e79
Tags
gozi 2200 banker discovery isfb trojan 3300 trickbot mon48 packer mon44 mon42
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8f3fedde975e393530b694eee1ef9c981b48bc46b4e24749c20189a6fa58e79

Threat Level: Known bad

The file d8f3fedde975e393530b694eee1ef9c981b48bc46b4e24749c20189a6fa58e79 was found to be: Known bad.

Malicious Activity Summary

gozi 2200 banker discovery isfb trojan 3300 trickbot mon48 packer mon44 mon42

Gozi

Trickbot

Trickbot family

Gozi family

Templ.dll packer

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-21 17:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.dll,#1

Signatures

Gozi

banker trojan gozi

Gozi family

gozi

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\ielowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a5100000000020000000000106600000001000020000000631a48406a4a78a6a1edc99e44dffc201c9ca64e408b35647134fe12b6603658000000000e800000000200002000000088f6723722eff073cc5b2468fe93bd47078c9126f853fd10c4e780b8e2d03a8620000000d0806b11510ada4fa14650714725ee99ddcab3fda067855272701951b53f689940000000dfc17e0ec96abb51d88198a1fa350147a6f05308045ff96a15f6d889366c03954060c15e846cf485a559f2f1aad9972f8927f633018d1de05cb6907b525003bc C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31151054" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3703586967" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e071c6ddce53db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a5100000000020000000000106600000001000020000000bd6880953a7f43e218f3c8bc942b7cb4da999a4602dc054cd4519fea933ed1d8000000000e8000000002000020000000abf6f2e22fc0e1c4b55e6d6d8d7e8b48d49e3444974147d2a4fcd8af0826e02c200000006b0350ce5b3f8d8efeebde24c39a9c4842a121b8279e8483c404bf5a28653cd8400000004345d86c2e5e6940753d8e240b53c1481973f67043c86cba8d7924d0b721b707a55043fb728b17f59ca10a17f5344879e0cdb55f43c65842c9cb7628384264ca C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31151054" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3703586967" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09dcdddce53db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{08603F2B-BFC2-11EF-AEE2-E26222BAF6A3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.dll,#1

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3404 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 api10.laptok.at udp
SG 54.169.255.239:80 api10.laptok.at tcp
SG 54.169.255.239:80 api10.laptok.at tcp
US 8.8.8.8:53 239.255.169.54.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1964-0-0x0000000010031000-0x0000000010035000-memory.dmp

memory/1964-1-0x0000000010000000-0x0000000010040000-memory.dmp

memory/1964-2-0x0000000010000000-0x0000000010040000-memory.dmp

memory/1964-3-0x0000000010000000-0x0000000010040000-memory.dmp

memory/1964-4-0x0000000010031000-0x0000000010035000-memory.dmp

memory/1964-5-0x0000000010000000-0x0000000010040000-memory.dmp

memory/1964-6-0x0000000001430000-0x0000000001440000-memory.dmp

memory/1964-9-0x0000000010000000-0x0000000010040000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.dll,#1

Signatures

Gozi

banker trojan gozi

Gozi family

gozi

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\ielowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1A92B941-BFC2-11EF-AF2A-7E3D785E6C2E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca04ef73b7c6924d879f23eb66eabf8a000000000200000000001066000000010000200000007bd6df4eb20340cd9611e8e34dd70325d3b2c9f06ba880e8b258e95232fd0e72000000000e80000000020000200000001ee33c30e5e655b1895da841756dbecbbf383ad07ff7e6b8e9900bd4a5fd72bc200000000574c94fad0dcd9edf43a4a6736d1e7aec1aa3545eff64313a2296632b73b7a84000000025aad4877af783f431a111fed60d285110b2bddb52f388d2193d006d23da4e2c34ca93d0665614ebd9a3dfb0b1476128d163cf3a58f27c70344d3f8362102fa3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31151054" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50133ef0ce53db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4010603837" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca04ef73b7c6924d879f23eb66eabf8a0000000002000000000010660000000100002000000059679131cb513c011998db34ad2c095da1c931c672c22b2e55320602d825b1bd000000000e8000000002000020000000d80a4fbe01518d78977b803946485ebf1d1f612b673b4ca0c0a26583c7968aed20000000dfa1822ba16ca63e7af1e34963b7fe7fb1afd7ec76568e25ea14dfe657df50da40000000a2645cf419bb500bd2b9ffe4a806afa853c7ecd16afde48b854a033b8e2dfdb4b23a30ad96ba96aa90cb51f8180a560a0096392b413b0293cee71a9434e739ab C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4010603837" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31151054" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 308947f0ce53db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.dll,#1

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 api10.laptok.at udp
SG 54.169.255.239:80 api10.laptok.at tcp
SG 54.169.255.239:80 api10.laptok.at tcp
US 8.8.8.8:53 239.255.169.54.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp

Files

memory/4284-0-0x0000000010000000-0x0000000012019000-memory.dmp

memory/4284-1-0x0000000010000000-0x0000000012019000-memory.dmp

memory/4284-2-0x0000000002AD0000-0x0000000004AE3000-memory.dmp

memory/4284-3-0x0000000010000000-0x0000000012013000-memory.dmp

memory/4284-4-0x00000000012C0000-0x00000000012D0000-memory.dmp

memory/4284-7-0x0000000010000000-0x0000000012019000-memory.dmp

memory/4284-8-0x0000000002AD0000-0x0000000004AE3000-memory.dmp

memory/4284-9-0x0000000010000000-0x0000000012013000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.dll,#1

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Templ.dll packer

packer
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.dll,#1

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
DE 45.155.173.242:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
BR 45.230.244.20:443 45.230.244.20 tcp
US 8.8.8.8:53 20.244.230.45.in-addr.arpa udp
US 193.8.194.96:443 tcp
US 193.8.194.96:443 tcp
US 8.8.8.8:53 96.194.8.193.in-addr.arpa udp
US 193.8.194.96:443 tcp
US 193.8.194.96:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
MD 185.163.45.138:443 tcp
BR 186.250.157.116:443 tcp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp

Files

memory/1084-1-0x0000000002E00000-0x0000000002E37000-memory.dmp

memory/1084-0-0x0000000002F70000-0x0000000002FB1000-memory.dmp

memory/1084-2-0x0000000002F70000-0x0000000002FB1000-memory.dmp

memory/1084-4-0x0000000010000000-0x0000000010003000-memory.dmp

memory/1084-3-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/3500-5-0x000002AA3A990000-0x000002AA3A9B7000-memory.dmp

memory/3500-6-0x000002AA3AB30000-0x000002AA3AB31000-memory.dmp

memory/1084-7-0x0000000002F70000-0x0000000002FB1000-memory.dmp

memory/1084-8-0x0000000010000000-0x0000000010003000-memory.dmp

memory/3500-9-0x000002AA3A990000-0x000002AA3A9B7000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win7-20240903-en

Max time kernel

146s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.dll,#1

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Templ.dll packer

packer
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3028 wrote to memory of 2372 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2372 wrote to memory of 2280 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2372 wrote to memory of 2280 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2372 wrote to memory of 2280 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2372 wrote to memory of 2280 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2372 wrote to memory of 2020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2372 wrote to memory of 2020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2372 wrote to memory of 2020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2372 wrote to memory of 2020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2372 wrote to memory of 2020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2372 wrote to memory of 2020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.dll,#1

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

Network

Country Destination Domain Proto
DE 45.155.173.242:443 tcp
US 108.170.20.75:443 tcp
HN 200.52.147.93:443 tcp
RO 194.5.249.156:443 tcp
US 193.8.194.96:443 tcp
US 193.8.194.96:443 tcp
US 193.8.194.96:443 tcp

Files

memory/2372-0-0x00000000001C0000-0x0000000000201000-memory.dmp

memory/2372-1-0x0000000000180000-0x00000000001B6000-memory.dmp

memory/2372-2-0x00000000001C0000-0x0000000000201000-memory.dmp

memory/2372-4-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2372-3-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2020-5-0x0000000000060000-0x0000000000087000-memory.dmp

memory/2020-6-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2372-7-0x00000000001C0000-0x0000000000201000-memory.dmp

memory/2372-8-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2020-9-0x0000000000060000-0x0000000000087000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.dll,#1

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Templ.dll packer

packer
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_4b32c3c2d28237ba331ae94e7fe4dfb566a0902d59eb84aa793b3adf0a5f378c.dll,#1

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 142.202.191.164:443 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
BR 45.230.244.20:443 45.230.244.20 tcp
US 8.8.8.8:53 20.244.230.45.in-addr.arpa udp
US 193.8.194.96:443 tcp
US 193.8.194.96:443 tcp
US 8.8.8.8:53 96.194.8.193.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 193.8.194.96:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 193.8.194.96:443 tcp
HN 200.52.147.93:443 tcp
FR 134.119.186.202:443 134.119.186.202 tcp
DE 45.155.173.242:443 tcp
US 8.8.8.8:53 202.186.119.134.in-addr.arpa udp
N/A 36.94.62.207:443 tcp

Files

memory/1628-0-0x0000000000920000-0x0000000000961000-memory.dmp

memory/1628-1-0x00000000008E0000-0x0000000000916000-memory.dmp

memory/1628-2-0x0000000000920000-0x0000000000961000-memory.dmp

memory/1628-4-0x0000000010000000-0x0000000010003000-memory.dmp

memory/1628-3-0x0000000002130000-0x0000000002131000-memory.dmp

memory/4236-5-0x000001E06B2A0000-0x000001E06B2A1000-memory.dmp

memory/4236-6-0x000001E06B100000-0x000001E06B127000-memory.dmp

memory/1628-7-0x0000000000920000-0x0000000000961000-memory.dmp

memory/1628-8-0x0000000010000000-0x0000000010003000-memory.dmp

memory/4236-9-0x000001E06B100000-0x000001E06B127000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.dll

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3220 wrote to memory of 3728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3220 wrote to memory of 3728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3220 wrote to memory of 3728 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3728 -ip 3728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3728-0-0x0000000010000000-0x000000001405E000-memory.dmp

memory/3728-1-0x0000000001580000-0x00000000015C1000-memory.dmp

memory/3728-2-0x0000000001580000-0x00000000015C1000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win7-20241010-en

Max time kernel

146s

Max time network

156s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.dll

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Templ.dll packer

packer
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1128 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1128 wrote to memory of 2224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2224 wrote to memory of 1224 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2224 wrote to memory of 1224 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2224 wrote to memory of 1224 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2224 wrote to memory of 1224 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2224 wrote to memory of 2912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2224 wrote to memory of 2912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2224 wrote to memory of 2912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2224 wrote to memory of 2912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2224 wrote to memory of 2912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2224 wrote to memory of 2912 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.dll

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

Network

Country Destination Domain Proto
DE 45.155.173.242:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
BR 186.250.157.116:443 tcp
RO 194.5.249.156:443 tcp
HN 200.52.147.93:443 tcp

Files

memory/2224-1-0x0000000000180000-0x00000000001B7000-memory.dmp

memory/2224-0-0x00000000001C0000-0x0000000000201000-memory.dmp

memory/2224-2-0x00000000001C0000-0x0000000000201000-memory.dmp

memory/2224-3-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2912-4-0x00000000000E0000-0x0000000000107000-memory.dmp

memory/2912-5-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2224-6-0x00000000001C0000-0x0000000000201000-memory.dmp

memory/2224-7-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2912-8-0x00000000000E0000-0x0000000000107000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win7-20240903-en

Max time kernel

140s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.dll,#1

Signatures

Gozi

banker trojan gozi

Gozi family

gozi

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3044 wrote to memory of 2488 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_8600b6aff4ee95d4f78e5dc77f66af3c07241db926b053144943361bc64c37f7.dll,#1

Network

N/A

Files

memory/2488-0-0x0000000010031000-0x0000000010035000-memory.dmp

memory/2488-1-0x0000000010000000-0x0000000010040000-memory.dmp

memory/2488-2-0x0000000010000000-0x0000000010040000-memory.dmp

memory/2488-3-0x0000000010000000-0x0000000010040000-memory.dmp

memory/2488-4-0x0000000010031000-0x0000000010035000-memory.dmp

memory/2488-5-0x0000000010000000-0x0000000010040000-memory.dmp

memory/2488-7-0x0000000010000000-0x0000000010040000-memory.dmp

memory/2488-9-0x0000000010000000-0x0000000010040000-memory.dmp

memory/2488-11-0x00000000001A0000-0x00000000001B0000-memory.dmp

memory/2488-13-0x0000000010000000-0x0000000010040000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win7-20240903-en

Max time kernel

141s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.dll,#1

Signatures

Gozi

banker trojan gozi

Gozi family

gozi

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1016 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1016 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1016 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1016 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1016 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1016 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d.dll,#1

Network

N/A

Files

memory/2228-0-0x0000000010000000-0x0000000012019000-memory.dmp

memory/2228-1-0x0000000010000000-0x0000000012019000-memory.dmp

memory/2228-2-0x0000000010000000-0x0000000012019000-memory.dmp

memory/2228-3-0x0000000010000000-0x0000000012019000-memory.dmp

memory/2228-5-0x0000000000290000-0x00000000002A0000-memory.dmp

memory/2228-8-0x0000000010000000-0x0000000012019000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.dll,#1

Signatures

Gozi

banker trojan gozi

Gozi family

gozi

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\ielowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31151054" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0aecbd7ce53db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3602646286" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e510000000002000000000010660000000100002000000084c5182f7eef273accd2c344c3536cf4d6ba91fe6e8cbc922398c571adeefbbd000000000e8000000002000020000000a299e529cc35792724e09fd11912af801613c0de436fb68038d1b001de99e54f200000006ac3bf6182739938fa6ae68d10586752d5451e0d9024dc9fcaf48e3a297c4019400000001d384e8bba2a75ccb5452ac9d049adfd61285b6d1902f7210a3a03e6d0a62cde45e7b97f6a830ae95e74846ead8a0464e384fda25622fea28fa851b1bc9736c8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008110495d4aa4cb41b6757eb2472c6e51000000000200000000001066000000010000200000007406322f2b850bd09dff03f079b54836d28ba5c84cbe3be81c37d63324db7fab000000000e8000000002000020000000f4a57eac1f8d56bb6fe0132194dbe5eb78a1761ede0ec903a99c9c123c18a55d2000000019cdae9a4bae245b76b565e28771e7427bbb6b263bac3158a7a3591c926df7c140000000471942e889b34d6b4b8f1675cbc5a89e652a3f5b5e9972409cdc8ac2dd4bd46344ff9d1991bf39fc14f74bd9a1f4306dbf8d5157964fb3594267005b1d88c888 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31151054" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f3c6d7ce53db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{025C02BE-BFC2-11EF-A7EA-5227CD58F2D9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3602646286" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.dll,#1

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 api10.laptok.at udp
SG 54.169.255.239:80 api10.laptok.at tcp
SG 54.169.255.239:80 api10.laptok.at tcp
US 8.8.8.8:53 239.255.169.54.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/540-0-0x0000000010091000-0x0000000010095000-memory.dmp

memory/540-1-0x0000000010000000-0x000000001009C000-memory.dmp

memory/540-2-0x0000000010000000-0x000000001009C000-memory.dmp

memory/540-3-0x0000000001620000-0x0000000001630000-memory.dmp

memory/540-6-0x0000000010000000-0x000000001009C000-memory.dmp

memory/540-7-0x0000000010091000-0x0000000010095000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win7-20241010-en

Max time kernel

146s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.dll,#1

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Templ.dll packer

packer
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1968 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1968 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1968 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1968 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1968 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1968 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1236 wrote to memory of 1476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1236 wrote to memory of 1476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1236 wrote to memory of 1476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1236 wrote to memory of 1476 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1236 wrote to memory of 2804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1236 wrote to memory of 2804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1236 wrote to memory of 2804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1236 wrote to memory of 2804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1236 wrote to memory of 2804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 1236 wrote to memory of 2804 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_f1b9d5520ba13179e19b336e542d18b0bd9f39a2b41d88a739625c8480422b73.dll,#1

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

Network

Country Destination Domain Proto
DE 45.155.173.242:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
MD 185.163.45.138:443 tcp
US 193.8.194.96:443 tcp
US 193.8.194.96:443 tcp

Files

memory/1236-1-0x0000000000670000-0x00000000006A7000-memory.dmp

memory/1236-2-0x0000000000710000-0x0000000000751000-memory.dmp

memory/1236-0-0x0000000000710000-0x0000000000751000-memory.dmp

memory/1236-4-0x0000000010000000-0x0000000010003000-memory.dmp

memory/1236-3-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/2804-5-0x0000000000060000-0x0000000000087000-memory.dmp

memory/2804-6-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1236-7-0x0000000000710000-0x0000000000751000-memory.dmp

memory/1236-8-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2804-9-0x0000000000060000-0x0000000000087000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4008 wrote to memory of 2052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4008 wrote to memory of 2052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4008 wrote to memory of 2052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\202102121641_48eacf290c0ed6287672551fcf426053f754c126c01fe6a01009c0ba599d3b8f.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win7-20240903-en

Max time kernel

127s

Max time network

137s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.dll

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1044 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1044 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1044 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1044 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1044 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1044 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2272 wrote to memory of 3020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2272 wrote to memory of 3020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2272 wrote to memory of 3020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2272 wrote to memory of 3020 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2272 wrote to memory of 1072 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2272 wrote to memory of 1072 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2272 wrote to memory of 1072 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2272 wrote to memory of 1072 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2272 wrote to memory of 1072 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe
PID 2272 wrote to memory of 1072 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wermgr.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\202102121641_c642dca14e48cae8391d5f100304b399b70a9c3967d7b7d3949ead3b96ba1a63.dll

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

Network

Country Destination Domain Proto
RO 194.5.249.156:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
FR 134.119.186.202:443 tcp
US 108.170.20.75:443 tcp
MD 185.163.45.138:443 tcp

Files

memory/2272-0-0x0000000010000000-0x000000001405E000-memory.dmp

memory/2272-1-0x0000000000230000-0x0000000000271000-memory.dmp

memory/2272-2-0x0000000000230000-0x0000000000271000-memory.dmp

memory/1072-3-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2272-4-0x0000000000290000-0x0000000000293000-memory.dmp

memory/1072-5-0x00000000000E0000-0x0000000000107000-memory.dmp

memory/2272-6-0x0000000000230000-0x0000000000271000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win7-20240708-en

Max time kernel

140s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.dll,#1

Signatures

Gozi

banker trojan gozi

Gozi family

gozi

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 2280 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\202102121641_cc849b895a0c8237f81ca3fe6395929713fb7b3f0a7744d3ddc3cb08f9f4351d.dll,#1

Network

N/A

Files

memory/2280-0-0x0000000010091000-0x0000000010095000-memory.dmp

memory/2280-2-0x0000000010000000-0x000000001009C000-memory.dmp

memory/2280-1-0x0000000010000000-0x000000001009C000-memory.dmp

memory/2280-3-0x0000000010000000-0x000000001009C000-memory.dmp

memory/2280-4-0x0000000010091000-0x0000000010095000-memory.dmp

memory/2280-5-0x0000000010000000-0x000000001009C000-memory.dmp

memory/2280-6-0x0000000010000000-0x000000001009C000-memory.dmp

memory/2280-7-0x0000000010000000-0x000000001009C000-memory.dmp

memory/2280-8-0x0000000010000000-0x000000001009C000-memory.dmp

memory/2280-13-0x0000000010000000-0x000000001009C000-memory.dmp

memory/2280-15-0x0000000000130000-0x0000000000140000-memory.dmp

memory/2280-18-0x0000000010000000-0x000000001009C000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-12-21 17:34

Reported

2024-12-21 17:37

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.dll

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Templ.dll packer

packer
Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3240 wrote to memory of 4432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3240 wrote to memory of 4432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3240 wrote to memory of 4432 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\202102121641_7ae7db00b573a89b9c435a5147a265dd939d99552b92b5dd9baa9a16f95ae9d5.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4432 -ip 4432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4432-0-0x0000000000FD0000-0x0000000001011000-memory.dmp

memory/4432-2-0x0000000000FD0000-0x0000000001011000-memory.dmp

memory/4432-1-0x0000000000F90000-0x0000000000FC7000-memory.dmp