Analysis
-
max time kernel
120s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 03:05
Static task
static1
Behavioral task
behavioral1
Sample
Gopidirit.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Gopidirit.exe
Resource
win10v2004-20241007-en
General
-
Target
Gopidirit.exe
-
Size
7.5MB
-
MD5
dd749d83056ecb224b888d51a6748244
-
SHA1
be2a4958e9fd52a0ca31a9b496e2d55900a79a10
-
SHA256
553f70ff7e6aa1e1d9cc0452799b932dca7240fd3bfbd872fdeffdfd17c51704
-
SHA512
16b89c511a49047a98f1b6894a8afc22d90092c86af60eaffb535bb98bdb7989d695057f2d09994d16f98a6077a9178dd76ed4d01982e1063196c78726c6091c
-
SSDEEP
196608:0jwJiv+RneA0pkTheTFPYbhqyH40AW8WOOxSebUKGSwd:0nGOeh4wbhqyH4bWrOMXmSwd
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2348 Gopidirit.exe -
Obfuscated with Agile.Net obfuscator 16 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/2348-6-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-12-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-7-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-16-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-81-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-86-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-91-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-93-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-95-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-97-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-99-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-101-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-103-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-105-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-107-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net behavioral2/memory/2348-109-0x0000000000F50000-0x0000000002320000-memory.dmp agile_net -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe 2348 Gopidirit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2348 Gopidirit.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2348 Gopidirit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe"C:\Users\Admin\AppData\Local\Temp\Gopidirit.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2348
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD505536a8959254cbc8c9c9bad8abbc89a
SHA15ac3ba35d844f88b44765c0a45d4440b9722c083
SHA2561f278b45aa5291a6c162f9088cf737a77ad4266b21f15aa7d96b8187965bbab8
SHA5125e9a7a4c77264bba48a978211494550cee7afc9624099eb0b899cd8e6a79c4ce8b8efaf598716038ba3b838f52427293dc19d90744b748974b494297aa9d2d73
-
Filesize
1KB
MD504fb2d6d6813ffe1f14cb875f75bee89
SHA1b77c9bdac152ff0e36b4f9b2cf1bfcbc8c669f6d
SHA256f36b32e7d3993a50e78f63d29c14e82782f0b2e460408a2bd1d294f57b658b89
SHA5126632f25e32d85d4e036655b00d164c6ee586e0bd6c428b1a328914bdec74bfbc00b1a43875defc9da4031cd959490c968095de77a309a767b97a2ef43609d2df