Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 16:55

General

  • Target

    394ecd747f9b75d73b9d9fb0e393c754ce030e1cccf6c2544fd6eb54578cd517.dll

  • Size

    396KB

  • MD5

    d832f5a807170a8ef0f436810a58e2cb

  • SHA1

    4a6de46a421915bfc08a3c3f2e30a791132606ec

  • SHA256

    394ecd747f9b75d73b9d9fb0e393c754ce030e1cccf6c2544fd6eb54578cd517

  • SHA512

    14c93518b16a8b34dbb297e9a8bdacbee2ec70985e851618eb8a8c2c8a9f34cfe759d372750cb75e237be37b31fccf72847e61b72cd93d2fb306a703e6d59170

  • SSDEEP

    12288:4XxrsWwDQ6tsZgFi43nrxHIS/zjtp23T:4Xxrs9M6tsA1db/zj323

Malware Config

Extracted

Family

gozi

Botnet

7221

C2

po3p53334.yahoo.com

web.citylimitshog.com

Attributes
  • build

    250154

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Gozi family
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\394ecd747f9b75d73b9d9fb0e393c754ce030e1cccf6c2544fd6eb54578cd517.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\394ecd747f9b75d73b9d9fb0e393c754ce030e1cccf6c2544fd6eb54578cd517.dll,#1
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2784
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2892
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:472087 /prefetch:2
      2⤵
        PID:2328
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1908 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1692
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2956
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1116 CREDAT:275457 /prefetch:2
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      c5fa30441d4cb07d72e828effa7dd1bf

      SHA1

      06f05e488e7b92c984413dd62a25270bcb27f5e7

      SHA256

      f6d41dbe83d02e21369500ca6d4a1c92d870cb8646b947088876fabff0df99d7

      SHA512

      0817d60c6c7a907e9af39094df5e8b44db26e72bdbf8609aba2406c8c13cbe4296a75425dc0287cc562ab0da2f1e5d9e1249f2f9d1d1185551b8fd88cd0ff75c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      b284ede7c194733300d82085cca1bf0b

      SHA1

      2526823b99c0e2df54a312364a5c3506109f561c

      SHA256

      cb2bb6f3b275fe5ae02e1c257c72349d49cf31a1fb565e153753923e1ccb7323

      SHA512

      cbc61fa06c0596c3c6ab262d35bc3a8f5dab236e2ea61b2a0eec9b288107220bc515cbc6c978b60ca204f4b35698e5e3420eb07b769499da9dd991ca915008cd

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      eecd0c0406f0d2130e6b33bccba5ad9a

      SHA1

      f14e2e0179417296023cc0f5e25bc03f71217403

      SHA256

      ecaeff5781cf10877d7af02e95773fddfb3edeeada8b176c39ef0779528ccb98

      SHA512

      c888dcd0c053af4789149b2709e13036be978bd81b08b5ba2608d79fbf8b9fa51de8bc98780b8f22c83143c24d4f42f4c3710f01102f32c06b78743e281d0f84

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      16663524f738305af5fa0fc55abd9ce8

      SHA1

      621d0b2ed04edce20067579e87cc786ba2c63e4d

      SHA256

      54c904820d0048e3a0aefcde6d6b6572a482ca0829d91eb1e315fdddd1ee56d9

      SHA512

      0f17ac37f307892a859d78d8661a81142cd216b55e40a484329625ca13f8509557ca8fde0eeec22e9c15004e5e0a9d81e3a670b65b625fd9c9cedd7689960dd9

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      8efbbb7e5cc1d5dd27bcabb04eede1d2

      SHA1

      640ed0e1fa7abdbb2de9c6a0798537a24c320127

      SHA256

      b67323ae01966eb00b69d6b53f4f8d57b95b643b48a63b79428959affa4e0316

      SHA512

      77968d347cf123cc4c45a1f69909efc5c762994c8709d476fc57174b406fe6792f8711e2a18a15ca6da00f92a4730674f49d479ec66a43da5def92bab418c9cd

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      49cca1b4d8ae68c37a02009b175c278d

      SHA1

      8cc463c954bf92c7a1048512f246bfa61a0b43ae

      SHA256

      1ec5a66444ae6b4fe866667684c02fd3413e28aca34f550989c2659b5dd0fe4f

      SHA512

      68b81248daa0a46e3fc63328d5f9c6dcdae3a712aff0e3140a8046e2867d96bb7bb6bf47f3b1ca4697692b460cb68180fbfb4cecae95b335a0b0f98b2b0721ca

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      9a04c8360a2ba70f17588a10ba333db1

      SHA1

      96872db8fc6fad2dc82eed85c98b5d6255070e34

      SHA256

      03c523a76b014c0ec06d38f6f92ed4dbef17330c109aca07c6a5c8393bc6fc9f

      SHA512

      3bf708978aa259ef5ce1cafe204cb8b08799cb67ecb35ab62a743711f93bf8922eb0ba2d2914c0c2b061e7fae2ad3152ab5f72d4053aaa28c65a5d2caa63340d

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      a3458e6f25452dbdc8cecf74ec633dfe

      SHA1

      822e110345394fb3bf30490cacaaab7dcd429eeb

      SHA256

      20c3e7cd534d347097ebe8e4f2c1560959690d9059de25edd082181ef21a858a

      SHA512

      0d972a76f643640ecd9843666b6e6eb88ef572847c7c8a317beeafbec5e765868a760e397ba6197a380b7bb405fd880e295d93ad7f05c1688e6f57f79e1e0edc

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      c16a95b97e34456d914c83d2e18965ac

      SHA1

      a27c01b8e87ca485d6204641692cc163e9b6c51f

      SHA256

      54a0d3f4f76c3a8da3d543e41b3405343092c8c0d43903406ac6c2a8e599a357

      SHA512

      86486cb62f0f348f3bc06e62b66073ff24eff7cda50cd309bbbb176901008cb2ce7e474a4444161dcefd1a2a5f07719d908552271f8eb8a89dd25759a552f119

    • C:\Users\Admin\AppData\Local\Temp\CabEB0D.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\TarEB6E.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\AppData\Local\Temp\~DF48CAA9899852560C.TMP

      Filesize

      16KB

      MD5

      9b7e9928632a5e59614ff5ee53d07ada

      SHA1

      d70213c90d1a5b155c09903141e3557370a2052d

      SHA256

      fba6902d0de5ade8e88aec2fc4859c0e94442fb8781bdbca0a8745d6901f9a4c

      SHA512

      78289b086447fa8f62772b65966f87c9bb9a5906127d96868d44b5427a060d575a84acccea94c761d8935c058982b8ab4f9353af7e1330580b2a91020e3fc903

    • memory/2784-0-0x0000000074E12000-0x0000000074E16000-memory.dmp

      Filesize

      16KB

    • memory/2784-9-0x0000000000220000-0x0000000000222000-memory.dmp

      Filesize

      8KB

    • memory/2784-8-0x0000000074DB0000-0x0000000074E26000-memory.dmp

      Filesize

      472KB

    • memory/2784-7-0x0000000074E12000-0x0000000074E16000-memory.dmp

      Filesize

      16KB

    • memory/2784-2-0x0000000074DB0000-0x0000000074E26000-memory.dmp

      Filesize

      472KB

    • memory/2784-1-0x0000000074DB0000-0x0000000074E26000-memory.dmp

      Filesize

      472KB

    • memory/2784-3-0x0000000000160000-0x0000000000170000-memory.dmp

      Filesize

      64KB