Analysis
-
max time kernel
152s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2023, 23:16
Static task
static1
Behavioral task
behavioral1
Sample
ShibaGTGoldBootstrapper.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ShibaGTGoldBootstrapper.exe
Resource
win10v2004-20231127-en
General
-
Target
ShibaGTGoldBootstrapper.exe
-
Size
55KB
-
MD5
f83cad71e17f33f9982f7d6abad5a00c
-
SHA1
f97a63401711f760ff3a16c53f044580e69686b5
-
SHA256
ba40f680d70bb6d8e9687c773586f01dd8c21a55e8a50f1c84dcbb0281aa0334
-
SHA512
3294c99d2d441e41fa6c0cc213bfa572638b2908dd5de65b87b41d9acecc1eb9c6b8f4ddc4f8c1a439c1f86ae8f9bfbf291057504b2cf82bf996083e66020dda
-
SSDEEP
768:06AJcT9GzAs3p87Q63q74/tn8exlzuPaRELMWbqkNA6LLiUfCZanIt:Scsu8kz8hrPbqZ1t
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation ShibaGTGoldBootstrapper.exe -
Executes dropped EXE 1 IoCs
pid Process 2400 goldloader.loader -
resource yara_rule behavioral2/files/0x000300000001e868-10.dat vmprotect behavioral2/files/0x000300000001e868-9.dat vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4904 ShibaGTGoldBootstrapper.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4904 wrote to memory of 5068 4904 ShibaGTGoldBootstrapper.exe 93 PID 4904 wrote to memory of 5068 4904 ShibaGTGoldBootstrapper.exe 93 PID 4904 wrote to memory of 5068 4904 ShibaGTGoldBootstrapper.exe 93 PID 5068 wrote to memory of 2400 5068 cmd.exe 96 PID 5068 wrote to memory of 2400 5068 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" cmd.exe /C "C:\Users\Admin\AppData\Local\Temp\goldloader.loader"2⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\goldloader.loaderC:\Users\Admin\AppData\Local\Temp\goldloader.loader3⤵
- Executes dropped EXE
PID:2400
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5ea3d2c8a97e5878acaf00a086f66946d
SHA14e644466192523011cf950433ade99022c9c4d57
SHA2561bfda2ccbf00523606a2eba0668a173d27a41d57341798c281e62dc436e84fdd
SHA5121c4e629e7ec6eff4b33a57c27a4ed0d73c5684b5b6cc0e6a9938aa9d7ea108aa9de8894ee0de7822d9acb6d53bf6058ca38d0f4ce3d13b8d309f622fc02ab24a
-
Filesize
5.9MB
MD5ea3d2c8a97e5878acaf00a086f66946d
SHA14e644466192523011cf950433ade99022c9c4d57
SHA2561bfda2ccbf00523606a2eba0668a173d27a41d57341798c281e62dc436e84fdd
SHA5121c4e629e7ec6eff4b33a57c27a4ed0d73c5684b5b6cc0e6a9938aa9d7ea108aa9de8894ee0de7822d9acb6d53bf6058ca38d0f4ce3d13b8d309f622fc02ab24a