Analysis
-
max time kernel
118s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-03-2024 17:13
Behavioral task
behavioral1
Sample
bc5bf8f1b628a7a66b77b585b176457f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bc5bf8f1b628a7a66b77b585b176457f.exe
Resource
win10v2004-20240226-en
General
-
Target
bc5bf8f1b628a7a66b77b585b176457f.exe
-
Size
2.7MB
-
MD5
bc5bf8f1b628a7a66b77b585b176457f
-
SHA1
22a95c03404a21412039bf5e85a82f9aec362719
-
SHA256
733ef03c87ac6d0ea07b0f3fa208cb17878dafdac14ef9c69595121579ca5d80
-
SHA512
256e58715ef684b76f7cac6edd9c56e061bf3ffe0e1b723d23db3fab8fb162369b16bb4b965f4fd1612bb96d6cef5539a478346838db5318449fcbb790901303
-
SSDEEP
49152:SynDWiL2LIMFyHjE4OtBr4t5sR9b3Wtdaf/wEwJDMya/QP8llF7g4R9j:Jnx28Mntut5sHAaffwJDMya/QPug4Hj
Malware Config
Extracted
gozi
Signatures
-
Deletes itself 1 IoCs
pid Process 2632 bc5bf8f1b628a7a66b77b585b176457f.exe -
Executes dropped EXE 1 IoCs
pid Process 2632 bc5bf8f1b628a7a66b77b585b176457f.exe -
Loads dropped DLL 1 IoCs
pid Process 640 bc5bf8f1b628a7a66b77b585b176457f.exe -
resource yara_rule behavioral1/memory/640-0-0x0000000000400000-0x00000000008E7000-memory.dmp upx behavioral1/files/0x000c00000001224c-10.dat upx behavioral1/files/0x000c00000001224c-14.dat upx behavioral1/memory/2632-16-0x0000000000400000-0x00000000008E7000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 640 bc5bf8f1b628a7a66b77b585b176457f.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 640 bc5bf8f1b628a7a66b77b585b176457f.exe 2632 bc5bf8f1b628a7a66b77b585b176457f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 640 wrote to memory of 2632 640 bc5bf8f1b628a7a66b77b585b176457f.exe 28 PID 640 wrote to memory of 2632 640 bc5bf8f1b628a7a66b77b585b176457f.exe 28 PID 640 wrote to memory of 2632 640 bc5bf8f1b628a7a66b77b585b176457f.exe 28 PID 640 wrote to memory of 2632 640 bc5bf8f1b628a7a66b77b585b176457f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe"C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exeC:\Users\Admin\AppData\Local\Temp\bc5bf8f1b628a7a66b77b585b176457f.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2632
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD58f88a183d3da07eccb17e5310b517bef
SHA17f86f88ce429d79d834506f2db23d767b3a58edf
SHA256db0ba7b0ae2ce6feb0d81864df7aabbd5c6fd701481bd9c1baea0161cba305c3
SHA512e44e0d52bf9aade198cc5af1e43933bf1c59555b6e5500ffc57fd9f0b4444e9674889fe53fc2cae56b3232c8a76c5b07ac4643bf025bdf70cb883b856e2c7c84
-
Filesize
115KB
MD51299692d9d4c417ae6ad71a4e49f7ca4
SHA1529337caeff26169fbfeaa545cb360de04dcd2aa
SHA2565efe1b815915d2101c87ee0313be87d1002dffd18bdf1e66a2277a5def908166
SHA512661da6313b566f3e9f1b90cddc4382bec06a3c9de5eb7104c765b51dd6f70fd3b8c9fb85c576e530bee56e546528de2ed6dfa8b4b8f806b457f54f18d3a2a93e