Analysis
-
max time kernel
117s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-03-2024 20:20
Behavioral task
behavioral1
Sample
b9910483a93ce128340c2c8f52f707f9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b9910483a93ce128340c2c8f52f707f9.exe
Resource
win10v2004-20240226-en
General
-
Target
b9910483a93ce128340c2c8f52f707f9.exe
-
Size
2.9MB
-
MD5
b9910483a93ce128340c2c8f52f707f9
-
SHA1
d805ee52b8546fe4047df2c156d5ea26f060b634
-
SHA256
270905ca19b8c1e8b9d2032a38338158d4e0fcf898eb0e0179e18dab080d22b5
-
SHA512
431afbaae1eecd1d5e1a7462ed0f453b2e34cbb6ffa21308b3b3f5e6f9fb26ae8ec7fe62f7a7e1a1bb20ff6fb2277823335cbbcc7fee5b4b54842cf63e66810a
-
SSDEEP
49152:p7duzulQx/vbDxwfIXoAxFHHN74NH5HUyNRcUsCVOzetdZJ:phP+Puf2JxFHH4HBUCczzM3
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 2532 b9910483a93ce128340c2c8f52f707f9.exe -
Executes dropped EXE 1 IoCs
pid Process 2532 b9910483a93ce128340c2c8f52f707f9.exe -
Loads dropped DLL 1 IoCs
pid Process 1688 b9910483a93ce128340c2c8f52f707f9.exe -
resource yara_rule behavioral1/memory/1688-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000b00000001224c-10.dat upx behavioral1/files/0x000b00000001224c-15.dat upx behavioral1/memory/2532-16-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/memory/1688-14-0x0000000003980000-0x0000000003E6F000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1688 b9910483a93ce128340c2c8f52f707f9.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1688 b9910483a93ce128340c2c8f52f707f9.exe 2532 b9910483a93ce128340c2c8f52f707f9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2532 1688 b9910483a93ce128340c2c8f52f707f9.exe 28 PID 1688 wrote to memory of 2532 1688 b9910483a93ce128340c2c8f52f707f9.exe 28 PID 1688 wrote to memory of 2532 1688 b9910483a93ce128340c2c8f52f707f9.exe 28 PID 1688 wrote to memory of 2532 1688 b9910483a93ce128340c2c8f52f707f9.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9910483a93ce128340c2c8f52f707f9.exe"C:\Users\Admin\AppData\Local\Temp\b9910483a93ce128340c2c8f52f707f9.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\b9910483a93ce128340c2c8f52f707f9.exeC:\Users\Admin\AppData\Local\Temp\b9910483a93ce128340c2c8f52f707f9.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2532
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
245KB
MD5fd98e9c0c4dc5aec919b371e39c77811
SHA13f5488e7099524819512361a3e3c69ba631f5488
SHA256b261a3d9181f80906f110c6cc0e8128157d73668231e50c3d5fc1bba379852da
SHA512abbec6112b295791a16f770c992cc0e43789aa0f8706b190917a4877b4fef7438e2050882c4ef57edae6474c214dabb5e9404d18fbc0a0e87e062ebdb9066d25
-
Filesize
396KB
MD55cea88f04ca9ddf9f0d17560a8db90e2
SHA1e4f4882199ae4f20b6046ddca8544dc1b79a8a04
SHA256e843be1eab91a2d151dc2048cc7750c480acd09c397f1986bed9201c4afffcf1
SHA5122ba2abb3df8508287dde9ecf727f9f58631977fc65f09e6d5f208b28e9babec281a1e66e8058b1eb5fac10d48ebe211d4bfeaf1434cc5d10aba67f6e67ac0809