Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2024 01:10
Behavioral task
behavioral1
Sample
b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe
Resource
win7-20240221-en
General
-
Target
b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe
-
Size
2.9MB
-
MD5
b622ed8a7ba0c3c7ecf68f7e32a2ba65
-
SHA1
3c6bd2406692b6bb1ecfdf54cc06ca14d1304da6
-
SHA256
39b0c5cc10ecf39813ba5100d1f2f983a45ca2e150fa13deec9a5d9ec4154b81
-
SHA512
416a7ba3ec216e04bb28a9057b1f207ea7b238e6f8c64df80cd9c0b9b4511dbcafa24308f4ef30a644c117008cc80d04e8bb0230b433c5583d29564209603a3a
-
SSDEEP
49152:sGyPbFHe+WC3rzco2c8KGc/stRw6g3RTP4M338dB2IBlGuuDVUsdxxjeQZwxPYRr:TyjBBhrAh1vtyFFgg3gnl/IVUs1jePs
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 3340 b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe -
Executes dropped EXE 1 IoCs
pid Process 3340 b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe -
resource yara_rule behavioral2/memory/2440-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000c000000022f7b-10.dat upx behavioral2/memory/3340-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2440 b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2440 b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe 3340 b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2440 wrote to memory of 3340 2440 b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe 96 PID 2440 wrote to memory of 3340 2440 b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe 96 PID 2440 wrote to memory of 3340 2440 b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe"C:\Users\Admin\AppData\Local\Temp\b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\b622ed8a7ba0c3c7ecf68f7e32a2ba65.exeC:\Users\Admin\AppData\Local\Temp\b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:81⤵PID:1984
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576KB
MD5205d8ca3ba044f705a806c2eb62d197f
SHA183474962b8f42fcaf7d8d292d36485bf1b1078b9
SHA2562ed450c6325c5643fe773cae1a0c30426436a30ecfe1cdb9ed15148fd4eb7344
SHA512545f81d9e02ea08af991a6698cd864e77be4d62694eb639ae0d53ca84f702d1398d17cc2ef00624d7274c90b317f7d9bbf30fa0fd56dbca06af0b506ab095fd5