Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-03-2024 19:37
Behavioral task
behavioral1
Sample
b97eb20d9cd4df21c713866e51e2aff3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b97eb20d9cd4df21c713866e51e2aff3.exe
Resource
win10v2004-20240226-en
General
-
Target
b97eb20d9cd4df21c713866e51e2aff3.exe
-
Size
5.3MB
-
MD5
b97eb20d9cd4df21c713866e51e2aff3
-
SHA1
3e59b574b543e60e4842fc2df208b78e85cb5916
-
SHA256
1015ea42f955bb7d199d166800a1831ffda77e2bf81535880fef0cb2f877e614
-
SHA512
17cf26a872c4a5978f55ce36da14d70eb78f93ca398703c5542efd374bdf1a780614ea664603844a5f16eb29ddd8af66048f71b36c7f496c05937593820bf711
-
SSDEEP
98304:i3+wQB/D3aG8Ml6y34qm29a3c59gsHYikPTPd8BiBfBaFqm29a3c59gsHYikp:U+wSeab8uZgHXd8+BaxuZgHF
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 2580 b97eb20d9cd4df21c713866e51e2aff3.exe -
Executes dropped EXE 1 IoCs
pid Process 2580 b97eb20d9cd4df21c713866e51e2aff3.exe -
Loads dropped DLL 1 IoCs
pid Process 2020 b97eb20d9cd4df21c713866e51e2aff3.exe -
resource yara_rule behavioral1/memory/2020-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000b000000012241-10.dat upx behavioral1/files/0x000b000000012241-13.dat upx behavioral1/memory/2580-14-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2020 b97eb20d9cd4df21c713866e51e2aff3.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2020 b97eb20d9cd4df21c713866e51e2aff3.exe 2580 b97eb20d9cd4df21c713866e51e2aff3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2580 2020 b97eb20d9cd4df21c713866e51e2aff3.exe 28 PID 2020 wrote to memory of 2580 2020 b97eb20d9cd4df21c713866e51e2aff3.exe 28 PID 2020 wrote to memory of 2580 2020 b97eb20d9cd4df21c713866e51e2aff3.exe 28 PID 2020 wrote to memory of 2580 2020 b97eb20d9cd4df21c713866e51e2aff3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b97eb20d9cd4df21c713866e51e2aff3.exe"C:\Users\Admin\AppData\Local\Temp\b97eb20d9cd4df21c713866e51e2aff3.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\b97eb20d9cd4df21c713866e51e2aff3.exeC:\Users\Admin\AppData\Local\Temp\b97eb20d9cd4df21c713866e51e2aff3.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2580
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960KB
MD5063c0fe230eabbdfab4e6a79e7e2434d
SHA1585edab5682f0ba59df75fe6cfcc67844cb57ae9
SHA256b797257e984d515b51fd691323f68cce97bb246b55aa92d383214c8bd74becac
SHA512bdc907753ec507cbc34bcd186c6ceb4383709b9786996f2ffdd1fcf684bc0aaf94ee87675ee08ad01d3de827fef03447fecc64d9e9ba3239282f35892ca94387
-
Filesize
1.6MB
MD5f83615516a5c73204990df4c89f41e65
SHA14551d61fef4624dff2354e93d7c04197a6525610
SHA256beae2075ba55d1a86e23993263ba70578cd5425e6831697546724894ed98e547
SHA51260d642e0d97810dcad47daf686de3e775df26a3a3bf3a8e5696803af9613885601e4eb9a12de088eb90d9974d5c513e94c389fbcf198a653c67c65e989f10e83