Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-03-2024 14:35
Behavioral task
behavioral1
Sample
bc0d9b263316bb636f51b2776ed8d4a3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bc0d9b263316bb636f51b2776ed8d4a3.exe
Resource
win10v2004-20240226-en
General
-
Target
bc0d9b263316bb636f51b2776ed8d4a3.exe
-
Size
2.7MB
-
MD5
bc0d9b263316bb636f51b2776ed8d4a3
-
SHA1
99432f1cd28f0f02be9b8d4768b061c38f89bae5
-
SHA256
1914124098ae620392080dc81fb97fe6025734316d772c3bab624703259176fa
-
SHA512
2f321503d36550f032d44c688f3ddc6f33c22cc277a5185d10a3e338cad8fd3b3a1a998b091eb3dfe145f071c13f45064bc9c244aea01f8a27b79bc4f5ebc96f
-
SSDEEP
49152:u3WxOP/4X6ixg8qaQ9nSoSS7IyCbxIEQADQsEp:u3/4qixg8qaQRSojeH79Ep
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 2248 bc0d9b263316bb636f51b2776ed8d4a3.exe -
Executes dropped EXE 1 IoCs
pid Process 2248 bc0d9b263316bb636f51b2776ed8d4a3.exe -
Loads dropped DLL 1 IoCs
pid Process 2172 bc0d9b263316bb636f51b2776ed8d4a3.exe -
resource yara_rule behavioral1/memory/2172-0-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000c000000012240-13.dat upx behavioral1/memory/2248-16-0x0000000000400000-0x00000000008EF000-memory.dmp upx behavioral1/files/0x000c000000012240-10.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2172 bc0d9b263316bb636f51b2776ed8d4a3.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2172 bc0d9b263316bb636f51b2776ed8d4a3.exe 2248 bc0d9b263316bb636f51b2776ed8d4a3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2248 2172 bc0d9b263316bb636f51b2776ed8d4a3.exe 28 PID 2172 wrote to memory of 2248 2172 bc0d9b263316bb636f51b2776ed8d4a3.exe 28 PID 2172 wrote to memory of 2248 2172 bc0d9b263316bb636f51b2776ed8d4a3.exe 28 PID 2172 wrote to memory of 2248 2172 bc0d9b263316bb636f51b2776ed8d4a3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc0d9b263316bb636f51b2776ed8d4a3.exe"C:\Users\Admin\AppData\Local\Temp\bc0d9b263316bb636f51b2776ed8d4a3.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\bc0d9b263316bb636f51b2776ed8d4a3.exeC:\Users\Admin\AppData\Local\Temp\bc0d9b263316bb636f51b2776ed8d4a3.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2248
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD56a33bf4334ad13560eb8dd64cd1206cf
SHA118c10b82257f401357cce02984dd3008b2e40766
SHA256c2f5e06651357ec4650db0174f21832354d9e1c8c9c0a688cda69dd5fc2e7638
SHA51253a3f9d85b9ed6a65e6f64dc1c15f8bc1ae1afe053964c1201bca1ed5f49158f532cca9e233219ff3379c80d3135292c8a69124ed59de4bd64dbb75c230cba03
-
Filesize
224KB
MD57b649e4306f6e09ef85ef828dfaf1396
SHA168c341799cacb391163ff19a8d32fa5b587da729
SHA25622da68af9f5f854a7672bbf6c58cb3c789fdd90b6c65de4351f953459fdb1adb
SHA512fc1fe43b4ceb87fc92db479c661d89169a3ff82c17642d514d92586cbafd5a4daaaf7b4c0364ca151b9b07a229cb8009a327a73da731a126371a473fd3394a1b