Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-03-2024 10:32
Behavioral task
behavioral1
Sample
bb0982a7bf4ecdb5667e1171e1ef13b1.exe
Resource
win7-20240221-en
General
-
Target
bb0982a7bf4ecdb5667e1171e1ef13b1.exe
-
Size
5.8MB
-
MD5
bb0982a7bf4ecdb5667e1171e1ef13b1
-
SHA1
8c88a025d0094b2849b9a7fb631b780d66e347d5
-
SHA256
444c9ae8d83115c237f19855d81f86eca9b893daa56623b3d47d6c6a75efd849
-
SHA512
27724bcde5df8e5222a947802216fa1bfb1acc9cd9e5d00ee8ed6512f68463058ecc21780d7b4071b855c2f077d574cda8b00053e21cdc5bbaab4ac69747efb9
-
SSDEEP
98304:AyoFJ4xdPpWDyswREHau42c1joCjMPkNwk6alDAqD7z3uboHau42c1joCjMPkNwv:AyVoDEmauq1jI86FA7y2auq1jI86
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 4324 bb0982a7bf4ecdb5667e1171e1ef13b1.exe -
Executes dropped EXE 1 IoCs
pid Process 4324 bb0982a7bf4ecdb5667e1171e1ef13b1.exe -
resource yara_rule behavioral2/memory/1624-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x0008000000023203-11.dat upx behavioral2/memory/4324-13-0x0000000000400000-0x00000000008EF000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1624 bb0982a7bf4ecdb5667e1171e1ef13b1.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1624 bb0982a7bf4ecdb5667e1171e1ef13b1.exe 4324 bb0982a7bf4ecdb5667e1171e1ef13b1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1624 wrote to memory of 4324 1624 bb0982a7bf4ecdb5667e1171e1ef13b1.exe 90 PID 1624 wrote to memory of 4324 1624 bb0982a7bf4ecdb5667e1171e1ef13b1.exe 90 PID 1624 wrote to memory of 4324 1624 bb0982a7bf4ecdb5667e1171e1ef13b1.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb0982a7bf4ecdb5667e1171e1ef13b1.exe"C:\Users\Admin\AppData\Local\Temp\bb0982a7bf4ecdb5667e1171e1ef13b1.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\bb0982a7bf4ecdb5667e1171e1ef13b1.exeC:\Users\Admin\AppData\Local\Temp\bb0982a7bf4ecdb5667e1171e1ef13b1.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4324
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
615KB
MD5612540c44a5af80aa7e9a12264a86c26
SHA19cf1d62df688f23a560c64ef24e1e6f269589e9e
SHA256f4acb623e9028da3219660b03754bdd6248265b71992aece8b41d205cd58574f
SHA51210357f11087e9b8d74b8dc99396301c671b0dd708e012990e1ed7518d2fe018c71f29c0b289669e74b9f96022ede3d98e1e913ad3f436d8080bc35290e542b31