ed863ad84b6756abb7bbc319f191e415302754222096d4742638a747d32bf6a5

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/Gossiper.exe
Size

5.1MB
MD5

1c89e1b7b17c0ada4b6dfe347493a835
SHA1

1215b533ec5b67d23cd59551da50658b5d5e6288
SHA256

250d3b191f5a723fc9b045fbb9b89c747cade393d85705966f8cec58e6373a00
SHA512

1b9bcd900ed17e3441c9691c85483c5d82809c009da01ba74e8f6f8dd3da3d06fd0949f7d4fc6dcbbc3aeedb10d495e5699faa14b802ae4f5fad2167f35bf77a
SSDEEP

98304:LnREBoBGZxci3pItnmLufTzki76yvdvwwWcUCTivQI7qQ9l7f1FzbQt:LkoBGTNSQOzv5vccHT27TlvG

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3056	GLBB912.tmp

Loads dropped DLL 3 IoCs

pid	Process
900	Gossiper.exe
3056	GLBB912.tmp
3056	GLBB912.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLBB912.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gossiper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLBB912.tmp

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\C:\Users\Admin\AppData\Local\Temp\INSTALL.LOG	GLBB912.tmp
File created	C:\C:\Users\Admin\AppData\Local\Temp\INSTALL.LOG	GLBB912.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 3056	900	Gossiper.exe	30
PID 900 wrote to memory of 3056	900	Gossiper.exe	30
PID 900 wrote to memory of 3056	900	Gossiper.exe	30
PID 900 wrote to memory of 3056	900	Gossiper.exe	30
PID 900 wrote to memory of 3056	900	Gossiper.exe	30
PID 900 wrote to memory of 3056	900	Gossiper.exe	30
PID 900 wrote to memory of 3056	900	Gossiper.exe	30

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Gossiper.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Gossiper.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\GLBB912.tmp
  C:\Users\Admin\AppData\Local\Temp\GLBB912.tmp 4736 C:\Users\Admin\AppData\Local\Temp\$PLUGI~1\Gossiper.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\GLBB912.tmp

Filesize
70KB

MD5
a64e7a7a00ae2ef9c15cb721c60c60c7

SHA1
b738107d696aec72a3fc5a371c23023386c50b7d

SHA256
5630aad833e5ae2eaa4e0e4ea2f829779470e7e22dcca28a6b2e96c352d737b9

SHA512
05d9adfecf9d1ee19faa9fe108c6dc0e237b00f5e4c6e65ee7e9657287271961b018e8ea949c07e3a63ef37d423138ea80f825df5f6e12189157c57c5317dcf3

Download Submit
\Users\Admin\AppData\Local\Temp\GLCB931.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
\Users\Admin\AppData\Local\Temp\GLKB942.tmp

Filesize
33KB

MD5
517419cae37f6c78c80f9b7d0fbb8661

SHA1
a9e419f3d9ef589522556e0920c84fe37a548873

SHA256
bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

SHA512
5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

Download Submit