Analysis Overview
SHA256
fd58415e0d71d7cb35d07cd6739d51f6cb486c11c37067dd2fe549fb2e9f0df8
Threat Level: Known bad
The file 89c497d0127c669b86a52a5c6833b25c was found to be: Known bad.
Malicious Activity Summary
Gozi family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Deletes itself
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-02 14:37
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-02 14:37
Reported
2024-02-02 14:40
Platform
win7-20231215-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2052 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe |
| PID 2052 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe |
| PID 2052 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe |
| PID 2052 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe
"C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe"
C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe
C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
Files
memory/2052-0-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/2052-2-0x0000000001B10000-0x0000000001C41000-memory.dmp
memory/2052-1-0x0000000000400000-0x0000000000622000-memory.dmp
\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe
| MD5 | 488b8766a85a22fa7d68db17463eec51 |
| SHA1 | 40674b9856c6dcf29f1a0b95818e018d816e8b50 |
| SHA256 | d74b6c1fc8b1f44f4afca9fcbe99f9999b993a610c036b1c8b0cdb67ced095c2 |
| SHA512 | ec3e28373b3018e32c3e520f2e9c4d6ef0ac9dbbace78e342d9d5ef397a66b008dbb84f57d8c9a9cfc9a9365fd383c1579d322be70c88258dfcd93b64d8ebd95 |
memory/2052-15-0x0000000003CA0000-0x0000000004187000-memory.dmp
memory/2052-14-0x0000000000400000-0x0000000000622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe
| MD5 | 13ad5adb50368aecd8e55978cb47f22c |
| SHA1 | 8f2cf631131af42e9e7f40d7ffc62cf823e9a73f |
| SHA256 | bc18ad6ce3a0219271feece996be0d9c01e6bc732299fc90dc23614720b61431 |
| SHA512 | 5aaaf1e6f831b585b6624aaff8d77b431f57016c71947c900d000508d04ad64bc5ccebad376ac8da0aea5d699ed517fdeb451e6dee6ccde03614e4cdd6ae050f |
memory/1672-17-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/1672-18-0x0000000001B10000-0x0000000001C41000-memory.dmp
memory/1672-16-0x0000000000400000-0x0000000000622000-memory.dmp
memory/1672-24-0x00000000033F0000-0x0000000003612000-memory.dmp
memory/1672-23-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2052-31-0x0000000003CA0000-0x0000000004187000-memory.dmp
memory/1672-32-0x0000000000400000-0x00000000008E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-02 14:37
Reported
2024-02-02 14:40
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
120s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2408 wrote to memory of 3916 | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe |
| PID 2408 wrote to memory of 3916 | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe |
| PID 2408 wrote to memory of 3916 | N/A | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe | C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe
"C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe"
C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe
C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/2408-0-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/2408-2-0x0000000000400000-0x0000000000622000-memory.dmp
memory/2408-1-0x00000000018F0000-0x0000000001A21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\89c497d0127c669b86a52a5c6833b25c.exe
| MD5 | 5aab74c4cda7d2b7b7d00400c443f928 |
| SHA1 | 684b2b06c2a48a8e5a90071141905ec31ddee20d |
| SHA256 | 536c70f460f2fb58e6be5824a1d367556ff417caf14235675b3686d50d670d11 |
| SHA512 | eef5b6843f4f147e1ecceb3b38fdea552d47277727e54f5a4749962acc0f9178d80850b278a9d9a37e74698705390b2d873f3c96c1a19f3f004c278783ec3fe5 |
memory/2408-12-0x0000000000400000-0x0000000000622000-memory.dmp
memory/3916-15-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/3916-14-0x0000000000400000-0x0000000000622000-memory.dmp
memory/3916-13-0x0000000001D30000-0x0000000001E61000-memory.dmp
memory/3916-20-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3916-22-0x0000000005620000-0x0000000005842000-memory.dmp
memory/3916-28-0x0000000000400000-0x00000000008E7000-memory.dmp