Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
24-02-2024 06:50
General
-
Target
a1377cd4ce5ce56d3823fdb57c140b17.exe
-
Size
2.7MB
-
MD5
a1377cd4ce5ce56d3823fdb57c140b17
-
SHA1
86bbde799c45970f361bc77bd738a29cf9e8557b
-
SHA256
f37a3c6561b111a616e9ae9dc30dc173bbbf5684a7a8f5b49499018eb7e0e31e
-
SHA512
7ac5de2e90a05618e6d0f1c58e9ce017f7d60e22b0dc0afb708c2c91de7270f0f3c0d31951f5354ac92a6da80a5ca201a8213f9c807c32093a39f3e6e98edb4c
-
SSDEEP
49152:ByTjTlwhAi1YoGQ/ara3umGWUda3VfrrER9f+oyQKvBTNDygOm9gc2pU7mbg2dRt:UTH6L+vHhsr4HGkCBygORc2ptldHj
Malware Config
Extracted
gozi
Signatures
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1377cd4ce5ce56d3823fdb57c140b17.exe"C:\Users\Admin\AppData\Local\Temp\a1377cd4ce5ce56d3823fdb57c140b17.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a1377cd4ce5ce56d3823fdb57c140b17.exeC:\Users\Admin\AppData\Local\Temp\a1377cd4ce5ce56d3823fdb57c140b17.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a1377cd4ce5ce56d3823fdb57c140b17.exeFilesize
1.2MB
MD5e72c7c2b62e232a31f6c7a50340efbd2
SHA182ea49d82e8d05bf598710141580f62cc26cdd22
SHA2564a24ae1cde78aaf042e36138ff637b045decd6b830c3931c5e652f33a03cd108
SHA5124ae7019fc176ea572dc6ff57546d07f18f1be37605d5f30d55c98ee59a5b0a925705153d20d7c23552d455313d04729286595085f7754e16f22f640a281eec33
-
C:\Users\Admin\AppData\Local\Temp\a1377cd4ce5ce56d3823fdb57c140b17.exeFilesize
1.2MB
MD550f37fea2f96f7573f09aec18f87024e
SHA14ea6aee064b978c7ae369ef44bbf51b1516c7787
SHA2569b20ee2ec51458199d4e49f1018eb4f9ef40ce2fcb6b4dc6fd12fa202449d6ab
SHA512d34c3aee9d6cea4ce3121c6db353eee18066c7ec20d01f74b8a3edcc3951201305d3308f8770924052cd8470254921bedfe2cfece2b30155e9fa4327a7861d5b
-
\Users\Admin\AppData\Local\Temp\a1377cd4ce5ce56d3823fdb57c140b17.exeFilesize
1.8MB
MD5f257ca1656e4483aec2d0c56d5cb6916
SHA10d33f4206fd25dc8fddf7a2edc706f59f6f2c936
SHA2568d438a91db5c29626602e73e81569fae3155fd8c18eee9387025c8351bba7b13
SHA5125ef0b3da54a9eb9d1d1509a7fbd3387cfe1a5909f0eedce270ee6da899d254683c9e0f51a4dcc6f348f9332476528b74a8d57fd56c7a6baae06f3264bb0e1c81
-
memory/2376-17-0x0000000000400000-0x00000000008E7000-memory.dmpFilesize
4.9MB
-
memory/2376-16-0x0000000000400000-0x0000000000622000-memory.dmpFilesize
2.1MB
-
memory/2376-19-0x00000000018F0000-0x0000000001A21000-memory.dmpFilesize
1.2MB
-
memory/2376-25-0x0000000003550000-0x0000000003772000-memory.dmpFilesize
2.1MB
-
memory/2376-23-0x0000000000400000-0x0000000000616000-memory.dmpFilesize
2.1MB
-
memory/2376-32-0x0000000000400000-0x00000000008E7000-memory.dmpFilesize
4.9MB
-
memory/2416-1-0x0000000000400000-0x0000000000622000-memory.dmpFilesize
2.1MB
-
memory/2416-2-0x00000000018F0000-0x0000000001A21000-memory.dmpFilesize
1.2MB
-
memory/2416-15-0x00000000038C0000-0x0000000003DA7000-memory.dmpFilesize
4.9MB
-
memory/2416-14-0x0000000000400000-0x0000000000622000-memory.dmpFilesize
2.1MB
-
memory/2416-0-0x0000000000400000-0x00000000008E7000-memory.dmpFilesize
4.9MB
-
memory/2416-31-0x00000000038C0000-0x0000000003DA7000-memory.dmpFilesize
4.9MB