Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2024 13:15
Behavioral task
behavioral1
Sample
bbe660a686e731e57019dcca9e7acd1a.exe
Resource
win7-20240221-en
General
-
Target
bbe660a686e731e57019dcca9e7acd1a.exe
-
Size
2.9MB
-
MD5
bbe660a686e731e57019dcca9e7acd1a
-
SHA1
b1f2d1207f4deffc06f5a8d9d79f71d1c5f42795
-
SHA256
1d1f6158e002a614569cf732706563478c31c021ef35d6a6750c1301d2c6275c
-
SHA512
d98750e053cac65cb78e3a093918ebbe11e6718dc3ee855bb91f8acf713d9f4819c2848d931127b39254e060906e27734dd29673d7e209bf38d744b2fbb7a03c
-
SSDEEP
49152:MdyeMiGX652zUI5Zkbx2kFko9Baj8BBT4SfcsUjoh48TyMPkXdwkyZ:MdyeGzv5ZkVVGoHau42c1joCjMPkNwk6
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 3708 bbe660a686e731e57019dcca9e7acd1a.exe -
Executes dropped EXE 1 IoCs
pid Process 3708 bbe660a686e731e57019dcca9e7acd1a.exe -
resource yara_rule behavioral2/memory/4980-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral2/files/0x000700000001ebc7-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4980 bbe660a686e731e57019dcca9e7acd1a.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4980 bbe660a686e731e57019dcca9e7acd1a.exe 3708 bbe660a686e731e57019dcca9e7acd1a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4980 wrote to memory of 3708 4980 bbe660a686e731e57019dcca9e7acd1a.exe 88 PID 4980 wrote to memory of 3708 4980 bbe660a686e731e57019dcca9e7acd1a.exe 88 PID 4980 wrote to memory of 3708 4980 bbe660a686e731e57019dcca9e7acd1a.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe"C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exeC:\Users\Admin\AppData\Local\Temp\bbe660a686e731e57019dcca9e7acd1a.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3708
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
788KB
MD5f70f8d47867b4183cf3dac1e70cdde81
SHA16fba70ccc92432ed526a3bf8bc97e78173cba567
SHA2561c9b1076cbf5ae70da581d9a6c6ce177135ef769ca12feea0d33742d3042aa06
SHA5124545af7e1cc17bc166d7011e5418ca819c2c3366cf7ecc421787ff041a43b69e1b8fd6dbe51155c09a72379323041ba29ed15d08a5611d5aecd68f30a1305bb6