Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2024 20:58
Behavioral task
behavioral1
Sample
b82cb510100cc9e5e7b3ca0ce00e10a6.exe
Resource
win7-20240221-en
General
-
Target
b82cb510100cc9e5e7b3ca0ce00e10a6.exe
-
Size
2.9MB
-
MD5
b82cb510100cc9e5e7b3ca0ce00e10a6
-
SHA1
1b05aa8de29c23c0345a8cb7a9a029d27c3b3bcc
-
SHA256
6c9136e86a05f217abbbd2e73b79c5e0330a8c37d09af42124738f08fb0405b9
-
SHA512
c3084e6edc7cd0c5e3f6ee835bc40e3ec784064704cc41fbd233e1c67d9cd0ad8f106653ae0274c91f5fd19bdcdc17c9b02b2d40bff5f4d08474e8562daf4361
-
SSDEEP
49152:d73WV+G5GcJY9U/s6+CB1Ooqxovt8mEBSHLHjZ8gtXCjFlted0d/5MIg/d:MVN5GcJYK/c1oqxovVEBSrDZvNOtTdBu
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 1472 b82cb510100cc9e5e7b3ca0ce00e10a6.exe -
Executes dropped EXE 1 IoCs
pid Process 1472 b82cb510100cc9e5e7b3ca0ce00e10a6.exe -
resource yara_rule behavioral2/memory/944-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000d00000002314e-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 944 b82cb510100cc9e5e7b3ca0ce00e10a6.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 944 b82cb510100cc9e5e7b3ca0ce00e10a6.exe 1472 b82cb510100cc9e5e7b3ca0ce00e10a6.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 944 wrote to memory of 1472 944 b82cb510100cc9e5e7b3ca0ce00e10a6.exe 88 PID 944 wrote to memory of 1472 944 b82cb510100cc9e5e7b3ca0ce00e10a6.exe 88 PID 944 wrote to memory of 1472 944 b82cb510100cc9e5e7b3ca0ce00e10a6.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe"C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exeC:\Users\Admin\AppData\Local\Temp\b82cb510100cc9e5e7b3ca0ce00e10a6.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1472
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD50838e3bd03cc4a4d2e48b087628e5c56
SHA14b635395b2373b6dfe77e1d330219c6fca4edbe6
SHA256ba4707590b53ac4109abf3a9930cdd678cd2c7648eb6e3a23c7cbf84af30c8a8
SHA512028b01990c12c39239c26fa199e063ba8e7638ba1447ef9042693ffbff61eae672f6736c54148cced9df218b2684624e3f30b31a43ccbc73e68b82215aca1fbe