Analysis Overview
SHA256
ba40f680d70bb6d8e9687c773586f01dd8c21a55e8a50f1c84dcbb0281aa0334
Threat Level: Likely malicious
The file ShibaGTGoldBootstrapper.exe was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
VMProtect packed file
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-06 23:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-06 23:16
Reported
2023-12-06 23:18
Platform
win7-20231129-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2924 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2924 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2924 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2924 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1700
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
Files
memory/2924-0-0x0000000000C90000-0x0000000000CA8000-memory.dmp
memory/2924-1-0x0000000074550000-0x0000000074C3E000-memory.dmp
memory/2924-2-0x0000000000480000-0x0000000000486000-memory.dmp
memory/2924-3-0x0000000000530000-0x0000000000570000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar21D8.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/2924-40-0x0000000074550000-0x0000000074C3E000-memory.dmp
memory/2924-41-0x0000000000530000-0x0000000000570000-memory.dmp
memory/2924-42-0x0000000074550000-0x0000000074C3E000-memory.dmp
C:\Users\Admin\Desktop\virus.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-06 23:16
Reported
2023-12-06 23:18
Platform
win10v2004-20231127-en
Max time kernel
152s
Max time network
148s
Command Line
Signatures
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\goldloader.loader | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4904 wrote to memory of 5068 | N/A | C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4904 wrote to memory of 5068 | N/A | C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4904 wrote to memory of 5068 | N/A | C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5068 wrote to memory of 2400 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goldloader.loader |
| PID 5068 wrote to memory of 2400 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Users\Admin\AppData\Local\Temp\goldloader.loader |
Processes
C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" cmd.exe /C "C:\Users\Admin\AppData\Local\Temp\goldloader.loader"
C:\Users\Admin\AppData\Local\Temp\goldloader.loader
C:\Users\Admin\AppData\Local\Temp\goldloader.loader
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.23.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/4904-0-0x0000000000E90000-0x0000000000EA8000-memory.dmp
memory/4904-1-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/4904-2-0x0000000003200000-0x0000000003206000-memory.dmp
memory/4904-3-0x00000000057B0000-0x00000000057C0000-memory.dmp
memory/4904-4-0x0000000005730000-0x0000000005796000-memory.dmp
memory/4904-7-0x0000000074400000-0x0000000074BB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\goldloader.loader
| MD5 | ea3d2c8a97e5878acaf00a086f66946d |
| SHA1 | 4e644466192523011cf950433ade99022c9c4d57 |
| SHA256 | 1bfda2ccbf00523606a2eba0668a173d27a41d57341798c281e62dc436e84fdd |
| SHA512 | 1c4e629e7ec6eff4b33a57c27a4ed0d73c5684b5b6cc0e6a9938aa9d7ea108aa9de8894ee0de7822d9acb6d53bf6058ca38d0f4ce3d13b8d309f622fc02ab24a |
C:\Users\Admin\AppData\Local\Temp\goldloader.loader
| MD5 | ea3d2c8a97e5878acaf00a086f66946d |
| SHA1 | 4e644466192523011cf950433ade99022c9c4d57 |
| SHA256 | 1bfda2ccbf00523606a2eba0668a173d27a41d57341798c281e62dc436e84fdd |
| SHA512 | 1c4e629e7ec6eff4b33a57c27a4ed0d73c5684b5b6cc0e6a9938aa9d7ea108aa9de8894ee0de7822d9acb6d53bf6058ca38d0f4ce3d13b8d309f622fc02ab24a |