Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 22:32
Behavioral task
behavioral1
Sample
1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe
Resource
win10v2004-20231215-en
General
-
Target
1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe
-
Size
2.7MB
-
MD5
1e8b6db7fe01d3c6536dc85f3a1f7f7e
-
SHA1
c8487e573c6eec98f8b27fd48a4fdedf83b187b0
-
SHA256
bb5dd04ec026e2db27f98bf77a793c33cf46091cdaf876abbf1233d61e7f565a
-
SHA512
31f5e23e2d5d76c4486873a7ab357b7525e6db2133b51050b531e89d3e2ca52ec50fa60c30a5b77c417a92e0ec143d076623c4d0035913d6ca298432e9e0800b
-
SSDEEP
49152:McwedbQ9bdwxkZAV1yOvvEc/0+BR980FLWJofqzWcBYGniqaPbKp/qG6TsPfFR9j:McwGowOjct3H8AlGniPzKp/qDAfFHj
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 2984 1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe -
Executes dropped EXE 1 IoCs
pid Process 2984 1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe -
Loads dropped DLL 1 IoCs
pid Process 2924 1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe -
resource yara_rule behavioral1/memory/2924-1-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/files/0x000a000000013a71-13.dat upx behavioral1/files/0x000a000000013a71-10.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2924 1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2924 1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe 2984 1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2924 wrote to memory of 2984 2924 1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe 28 PID 2924 wrote to memory of 2984 2924 1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe 28 PID 2924 wrote to memory of 2984 2924 1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe 28 PID 2924 wrote to memory of 2984 2924 1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe"C:\Users\Admin\AppData\Local\Temp\1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\1e8b6db7fe01d3c6536dc85f3a1f7f7e.exeC:\Users\Admin\AppData\Local\Temp\1e8b6db7fe01d3c6536dc85f3a1f7f7e.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2984
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD504eb3694871deebba69efcc819d0ded4
SHA194cf8f0e01a0eafa2f70270119531ae51f6172fc
SHA256e8faede6a80e1858fea5c82cadb8f5afea8cdd1f024cab82eec249e0dda3b33e
SHA512cfaa49a8fd5b8bb0c44124065242233c7f52ac29aa0be9c33f5f7180496d8912f1b729a9b54632648d27abb86957958f90657a1eb35cd2c7c391f498b5ec7ed4
-
Filesize
610KB
MD5e0a749b700cac7dbc42cf82a1d8c13f8
SHA1ba5caa230fa1a65fc41c276c520a15c8d93d21bd
SHA256439b4e51987febc4d44f8920c5d00ed5437df3208324438a6b3d615ffed2e877
SHA512100f42686c832a985be8420f5f9d73017062d802938f1a26d66ef4f220e51a6e58fda144ae03198c546415aba1f37f9b0516398808c2bd42394d55244b2822a0