Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 19:10
Static task
static1
Behavioral task
behavioral1
Sample
3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe
Resource
win7-20241010-en
General
-
Target
3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe
-
Size
304KB
-
MD5
4c7aa22092360d14d5c799e0bd873d78
-
SHA1
64372fa56d6cac4c6ec49ea02f3a5ffe32566aa8
-
SHA256
3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01
-
SHA512
72d010a5c4ef66c2883410e7d93f9751db47267c91a3c52c24e9f5b39c3953e2a659c1552d88238b053001c4d29ee3fd65bafcc389281aa806c1a6e3cd161555
-
SSDEEP
6144:Kg4Myj0VKau5jfPcMhV2RRYgUvCwZsUpQitLZWVWJC9OfrOYujPy:kaVKbJcMhVEeRpaU38VQCUwm
Malware Config
Extracted
gozi
Extracted
gozi
303
http://aaxvkah7dudzoloq.onion
http://tahhir.at
http://limpopo.at
http://estate-advice.at
-
build
217107
-
dga_base_url
constitution.org/usdeclar.txt
-
dga_crc
0x4eb7d2ca
-
dga_season
10
-
dga_tlds
com
ru
org
-
exe_type
worker
-
server_id
12
Signatures
-
Gozi family
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BOOTscui = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\BdeHxpps\\dxilerPS.exe" Explorer.EXE -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 1176 set thread context of 3784 1176 3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe 82 PID 3784 set thread context of 3488 3784 control.exe 56 PID 3488 set thread context of 4040 3488 Explorer.EXE 60 PID 3488 set thread context of 4112 3488 Explorer.EXE 62 PID 3784 set thread context of 640 3784 control.exe 83 PID 3488 set thread context of 3344 3488 Explorer.EXE 76 PID 3488 set thread context of 2300 3488 Explorer.EXE 98 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1176 3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe 1176 3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe 3488 Explorer.EXE 3488 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1176 3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe 3784 control.exe 3488 Explorer.EXE 3488 Explorer.EXE 3784 control.exe 3488 Explorer.EXE 3488 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE Token: SeShutdownPrivilege 4040 RuntimeBroker.exe Token: SeShutdownPrivilege 4040 RuntimeBroker.exe Token: SeShutdownPrivilege 4040 RuntimeBroker.exe Token: SeShutdownPrivilege 3488 Explorer.EXE Token: SeCreatePagefilePrivilege 3488 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3488 Explorer.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1176 wrote to memory of 3784 1176 3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe 82 PID 1176 wrote to memory of 3784 1176 3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe 82 PID 1176 wrote to memory of 3784 1176 3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe 82 PID 1176 wrote to memory of 3784 1176 3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe 82 PID 1176 wrote to memory of 3784 1176 3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe 82 PID 3784 wrote to memory of 3488 3784 control.exe 56 PID 3784 wrote to memory of 3488 3784 control.exe 56 PID 3784 wrote to memory of 3488 3784 control.exe 56 PID 3488 wrote to memory of 4040 3488 Explorer.EXE 60 PID 3784 wrote to memory of 640 3784 control.exe 83 PID 3784 wrote to memory of 640 3784 control.exe 83 PID 3784 wrote to memory of 640 3784 control.exe 83 PID 3488 wrote to memory of 4040 3488 Explorer.EXE 60 PID 3488 wrote to memory of 4040 3488 Explorer.EXE 60 PID 3488 wrote to memory of 4112 3488 Explorer.EXE 62 PID 3488 wrote to memory of 4112 3488 Explorer.EXE 62 PID 3488 wrote to memory of 4112 3488 Explorer.EXE 62 PID 3488 wrote to memory of 3344 3488 Explorer.EXE 76 PID 3784 wrote to memory of 640 3784 control.exe 83 PID 3784 wrote to memory of 640 3784 control.exe 83 PID 3488 wrote to memory of 3344 3488 Explorer.EXE 76 PID 3488 wrote to memory of 3344 3488 Explorer.EXE 76 PID 3488 wrote to memory of 3588 3488 Explorer.EXE 93 PID 3488 wrote to memory of 3588 3488 Explorer.EXE 93 PID 3588 wrote to memory of 1212 3588 cmd.exe 95 PID 3588 wrote to memory of 1212 3588 cmd.exe 95 PID 3488 wrote to memory of 1416 3488 Explorer.EXE 96 PID 3488 wrote to memory of 1416 3488 Explorer.EXE 96 PID 3488 wrote to memory of 2300 3488 Explorer.EXE 98 PID 3488 wrote to memory of 2300 3488 Explorer.EXE 98 PID 3488 wrote to memory of 2300 3488 Explorer.EXE 98 PID 3488 wrote to memory of 2300 3488 Explorer.EXE 98 PID 3488 wrote to memory of 2300 3488 Explorer.EXE 98 PID 3488 wrote to memory of 2300 3488 Explorer.EXE 98
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe"C:\Users\Admin\AppData\Local\Temp\3ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?4⤵PID:640
-
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\7D7A.bi1"2⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵PID:1212
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\7D7A.bi1"2⤵PID:1416
-
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4112
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
122B
MD54e722b4828cea8a135eb7a2bfd92ab01
SHA18e1abee672a878fd9c1d33e242502205d9b2da55
SHA256c4d1feacbfb9ecd1a24e9b6d3e51fc7e9797da543d319f43ff0917db4c1e5e02
SHA51288c0d6b07d45f906164b2c1178a938ffb56c4fa7288853a02f460339bca026fa58b26a37f52ea846bc205e1828f12f0361d1b0425a1106c8b1a947856d4ee4e4
-
Filesize
304KB
MD54c7aa22092360d14d5c799e0bd873d78
SHA164372fa56d6cac4c6ec49ea02f3a5ffe32566aa8
SHA2563ebbc1ac0f109ef8c0f7e7e682c1394c9e9de07b3d6a3943266a1a35cb0b5b01
SHA51272d010a5c4ef66c2883410e7d93f9751db47267c91a3c52c24e9f5b39c3953e2a659c1552d88238b053001c4d29ee3fd65bafcc389281aa806c1a6e3cd161555