Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
66672c276272ec58d7b1c5cb087295a050cc23881bb31e0bb5b9c6035093fef5.dll
Resource
win7-20240903-en
General
-
Target
66672c276272ec58d7b1c5cb087295a050cc23881bb31e0bb5b9c6035093fef5.dll
-
Size
626KB
-
MD5
9fe1f95e8964506d56a27c7adc949039
-
SHA1
3fe9c746400e15ae08b1d95e454f89d26e273b69
-
SHA256
66672c276272ec58d7b1c5cb087295a050cc23881bb31e0bb5b9c6035093fef5
-
SHA512
fc3fb00c324966fbd80203020da6831e473f6a6ca3bb828d642404021d1785adb404e6a56420b043b529e76e50c619893acae4f0e8a62f1c2c87b4d67ffc5f69
-
SSDEEP
12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8Zz:+w1lEKOpuYxiwkkgjAN8Zz
Malware Config
Extracted
gozi
Extracted
gozi
999
config.edge.skype.com
146.70.35.138
146.70.35.142
-
base_path
/phpadmin/
-
build
250227
-
exe_type
loader
-
extension
.src
-
server_id
50
Signatures
-
Gozi family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2380 2364 rundll32.exe 30 PID 2364 wrote to memory of 2380 2364 rundll32.exe 30 PID 2364 wrote to memory of 2380 2364 rundll32.exe 30 PID 2364 wrote to memory of 2380 2364 rundll32.exe 30 PID 2364 wrote to memory of 2380 2364 rundll32.exe 30 PID 2364 wrote to memory of 2380 2364 rundll32.exe 30 PID 2364 wrote to memory of 2380 2364 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66672c276272ec58d7b1c5cb087295a050cc23881bb31e0bb5b9c6035093fef5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66672c276272ec58d7b1c5cb087295a050cc23881bb31e0bb5b9c6035093fef5.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:2380
-