Analysis

  • max time kernel
    152s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2023, 23:16

General

  • Target

    ShibaGTGoldBootstrapper.exe

  • Size

    55KB

  • MD5

    f83cad71e17f33f9982f7d6abad5a00c

  • SHA1

    f97a63401711f760ff3a16c53f044580e69686b5

  • SHA256

    ba40f680d70bb6d8e9687c773586f01dd8c21a55e8a50f1c84dcbb0281aa0334

  • SHA512

    3294c99d2d441e41fa6c0cc213bfa572638b2908dd5de65b87b41d9acecc1eb9c6b8f4ddc4f8c1a439c1f86ae8f9bfbf291057504b2cf82bf996083e66020dda

  • SSDEEP

    768:06AJcT9GzAs3p87Q63q74/tn8exlzuPaRELMWbqkNA6LLiUfCZanIt:Scsu8kz8hrPbqZ1t

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" cmd.exe /C "C:\Users\Admin\AppData\Local\Temp\goldloader.loader"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Users\Admin\AppData\Local\Temp\goldloader.loader
        C:\Users\Admin\AppData\Local\Temp\goldloader.loader
        3⤵
        • Executes dropped EXE
        PID:2400

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\goldloader.loader

          Filesize

          5.9MB

          MD5

          ea3d2c8a97e5878acaf00a086f66946d

          SHA1

          4e644466192523011cf950433ade99022c9c4d57

          SHA256

          1bfda2ccbf00523606a2eba0668a173d27a41d57341798c281e62dc436e84fdd

          SHA512

          1c4e629e7ec6eff4b33a57c27a4ed0d73c5684b5b6cc0e6a9938aa9d7ea108aa9de8894ee0de7822d9acb6d53bf6058ca38d0f4ce3d13b8d309f622fc02ab24a

        • C:\Users\Admin\AppData\Local\Temp\goldloader.loader

          Filesize

          5.9MB

          MD5

          ea3d2c8a97e5878acaf00a086f66946d

          SHA1

          4e644466192523011cf950433ade99022c9c4d57

          SHA256

          1bfda2ccbf00523606a2eba0668a173d27a41d57341798c281e62dc436e84fdd

          SHA512

          1c4e629e7ec6eff4b33a57c27a4ed0d73c5684b5b6cc0e6a9938aa9d7ea108aa9de8894ee0de7822d9acb6d53bf6058ca38d0f4ce3d13b8d309f622fc02ab24a

        • memory/4904-0-0x0000000000E90000-0x0000000000EA8000-memory.dmp

          Filesize

          96KB

        • memory/4904-1-0x0000000074400000-0x0000000074BB0000-memory.dmp

          Filesize

          7.7MB

        • memory/4904-2-0x0000000003200000-0x0000000003206000-memory.dmp

          Filesize

          24KB

        • memory/4904-3-0x00000000057B0000-0x00000000057C0000-memory.dmp

          Filesize

          64KB

        • memory/4904-4-0x0000000005730000-0x0000000005796000-memory.dmp

          Filesize

          408KB

        • memory/4904-7-0x0000000074400000-0x0000000074BB0000-memory.dmp

          Filesize

          7.7MB