Analysis Overview
SHA256
56ed446dbc6513c68a357fdac55eaffd9ce6463256f5c3bcc0455a571c9f614b
Threat Level: Known bad
The file 987fef059b1de2791ae99876c864d26b was found to be: Known bad.
Malicious Activity Summary
Gozi
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-13 04:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-13 04:41
Reported
2024-02-13 04:47
Platform
win7-20231215-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\987fef059b1de2791ae99876c864d26b.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3000 set thread context of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\987fef059b1de2791ae99876c864d26b.exe
"C:\Users\Admin\AppData\Local\Temp\987fef059b1de2791ae99876c864d26b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
Network
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
| MD5 | 50d18e4d4da3b5fe17ff79778a857c27 |
| SHA1 | ccd6ca8450b924f853af660de6944379e6a49db9 |
| SHA256 | c93e92848854bff98d100a6cb94b052e7ad17e095c172ea93a6582f213ae1646 |
| SHA512 | 3c017aa79e798f720e37f413fd8cbc294dd7f10ddab33c7a5c60af7a9376ef1a11e9efd27697095ed37ad8ac2f4d187e4167a86cc802c95dbdc548da3d28c39a |
memory/3000-9-0x0000000000400000-0x0000000000473000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
| MD5 | 55156b907dea9f68c84a623de1b7c1e9 |
| SHA1 | 28ccd30764fb623ebed03c1e597b54ee8eefaae0 |
| SHA256 | e969806a060c027c87ccc47841bde362b0256f16d0222439d0c215c18c72947f |
| SHA512 | 402f069aed907616fb61eb3ace4537d6c2f93bac7d3950de31c7fbd9689c1b4b2797dcbfd61ba088b0e29a6a94099cbb5e5af985f3d26eb6c885ce7bc9b5e0f3 |
memory/1548-14-0x0000000000400000-0x0000000000457000-memory.dmp
memory/1548-18-0x0000000000400000-0x0000000000457000-memory.dmp
memory/3000-19-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1548-24-0x0000000000400000-0x0000000000457000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-13 04:41
Reported
2024-02-13 04:48
Platform
win10v2004-20231222-en
Max time kernel
93s
Max time network
151s
Command Line
Signatures
Gozi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\987fef059b1de2791ae99876c864d26b.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 216 set thread context of 4884 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
C:\Users\Admin\AppData\Local\Temp\987fef059b1de2791ae99876c864d26b.exe
"C:\Users\Admin\AppData\Local\Temp\987fef059b1de2791ae99876c864d26b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
| MD5 | 67a6a8a3c6de1e7a16f0aa876464df69 |
| SHA1 | a6e8b1d8a326f6e2c710f423e39aa4ef09b7c9a5 |
| SHA256 | 352225efb2be6a72429f0ad74f33448618ba35c52cdadb6b9fa8a4d888f5a115 |
| SHA512 | 5475520462f84750a7d961a54c00bba30cf3ed6caed35dc77407296010cd3134d8a1138a4d5ade0ff4c9f0c9ed6c67fbac28b2ff15553cc6d1b71c7e23039a4a |
memory/216-6-0x0000000000400000-0x0000000000473000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
| MD5 | cb0487cdc7046e942234657392b00e8b |
| SHA1 | 2a44d4dadc10cf26f68f1e31ce38961b8f4421fc |
| SHA256 | 48b8d7cf146573cc026b652be1dd63b069489a7c07b50351cca27fab2ed667f1 |
| SHA512 | 3aba7fd689d19c34c0f670f05b6ae8d2e5c6e69f3ee062808b0eff637f51addbc348a9bbe221cd2cd5420a274b26f26363664695fa35682031cf6b545dc5ab44 |
memory/216-14-0x0000000000400000-0x0000000000473000-memory.dmp
memory/4884-20-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4884-17-0x0000000000400000-0x0000000000457000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GARENA~1.EXE
| MD5 | 6d4941df97b33c712127b6389dbcf9bf |
| SHA1 | 1a3bd64897b18a33c2be92a7b2d4356fed95c378 |
| SHA256 | 155a996142b894954f89b1f31d920579be77dcdb233b688203c9f9e08fb2a2ea |
| SHA512 | eabb80d30f774fdc81ac5af05490fbe947ce5b095c8e037ce1328256f86ca233103dd6972f597bff2c93531c7a4daa1802f13d9f503a40ce507556069ba1e962 |
memory/4884-10-0x0000000000400000-0x0000000000457000-memory.dmp