Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2024 01:10

General

  • Target

    b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe

  • Size

    2.9MB

  • MD5

    b622ed8a7ba0c3c7ecf68f7e32a2ba65

  • SHA1

    3c6bd2406692b6bb1ecfdf54cc06ca14d1304da6

  • SHA256

    39b0c5cc10ecf39813ba5100d1f2f983a45ca2e150fa13deec9a5d9ec4154b81

  • SHA512

    416a7ba3ec216e04bb28a9057b1f207ea7b238e6f8c64df80cd9c0b9b4511dbcafa24308f4ef30a644c117008cc80d04e8bb0230b433c5583d29564209603a3a

  • SSDEEP

    49152:sGyPbFHe+WC3rzco2c8KGc/stRw6g3RTP4M338dB2IBlGuuDVUsdxxjeQZwxPYRr:TyjBBhrAh1vtyFFgg3gnl/IVUs1jePs

Malware Config

Extracted

Family

gozi

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe
    "C:\Users\Admin\AppData\Local\Temp\b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe
      C:\Users\Admin\AppData\Local\Temp\b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:3340
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1984

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\b622ed8a7ba0c3c7ecf68f7e32a2ba65.exe

      Filesize

      576KB

      MD5

      205d8ca3ba044f705a806c2eb62d197f

      SHA1

      83474962b8f42fcaf7d8d292d36485bf1b1078b9

      SHA256

      2ed450c6325c5643fe773cae1a0c30426436a30ecfe1cdb9ed15148fd4eb7344

      SHA512

      545f81d9e02ea08af991a6698cd864e77be4d62694eb639ae0d53ca84f702d1398d17cc2ef00624d7274c90b317f7d9bbf30fa0fd56dbca06af0b506ab095fd5

    • memory/2440-0-0x0000000000400000-0x00000000008EF000-memory.dmp

      Filesize

      4.9MB

    • memory/2440-1-0x0000000001CE0000-0x0000000001E13000-memory.dmp

      Filesize

      1.2MB

    • memory/2440-2-0x0000000000400000-0x000000000062A000-memory.dmp

      Filesize

      2.2MB

    • memory/2440-12-0x0000000000400000-0x000000000062A000-memory.dmp

      Filesize

      2.2MB

    • memory/3340-13-0x0000000000400000-0x00000000008EF000-memory.dmp

      Filesize

      4.9MB

    • memory/3340-15-0x00000000018F0000-0x0000000001A23000-memory.dmp

      Filesize

      1.2MB

    • memory/3340-14-0x0000000000400000-0x000000000062A000-memory.dmp

      Filesize

      2.2MB

    • memory/3340-20-0x00000000056B0000-0x00000000058DA000-memory.dmp

      Filesize

      2.2MB

    • memory/3340-21-0x0000000000400000-0x000000000061D000-memory.dmp

      Filesize

      2.1MB

    • memory/3340-28-0x0000000000400000-0x00000000008EF000-memory.dmp

      Filesize

      4.9MB