Analysis Overview
SHA256
b02fe033d0cbfe6b377932ed3b5169213ad2a967cf2d6161e24f74584980554d
Threat Level: Known bad
The file 8c97c2d1349936dcba035061d4085478 was found to be: Known bad.
Malicious Activity Summary
Gozi
UPX packed file
Executes dropped EXE
Deletes itself
Loads dropped DLL
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-03 14:43
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-03 14:43
Reported
2024-02-03 14:46
Platform
win7-20231215-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2520 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe |
| PID 2520 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe |
| PID 2520 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe |
| PID 2520 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe
"C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe"
C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe
C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2520-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2520-2-0x00000000002B0000-0x00000000003E3000-memory.dmp
memory/2520-1-0x0000000000400000-0x000000000062A000-memory.dmp
\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe
| MD5 | 859a12391087485810660eb8da8f67ef |
| SHA1 | 0b59a30e7b23cad8366ffe63249d1b0586529b6b |
| SHA256 | 8461146d63afb397b49fe1344edd315c284cf94b0d5c865009460386ed1fa7aa |
| SHA512 | 7bb5ef8de1b28a57c35daf72e10c4a6a961391afea7ef1935e45b5077cb6e780a5d604d8e7e0c4bc972192f9fc63b4383fba076fcaffa7ba685f2188e7f1c196 |
C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe
| MD5 | 9170672061bfc88e6da343b99e9f5275 |
| SHA1 | 303834c61334ca8a540999ffbc16f72beeb27bdb |
| SHA256 | e30dd25b5e7682d3837c4db7447a50e2b46cd8a72f9326f338463b9ae9a1bf12 |
| SHA512 | f8c391cbf93ca7bfd338cbd88066b408b5ad13b034c13be8084a1c1546295bb8429faa19d79a2b68c2317ab65369be39a64c86b4392870428350e20e62baeffa |
memory/2876-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2520-16-0x00000000036B0000-0x0000000003B9F000-memory.dmp
memory/2520-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2876-19-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2876-21-0x0000000000130000-0x0000000000263000-memory.dmp
memory/2876-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2876-25-0x00000000035B0000-0x00000000037DA000-memory.dmp
memory/2876-31-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-03 14:43
Reported
2024-02-03 14:46
Platform
win10v2004-20231215-en
Max time kernel
138s
Max time network
157s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 560 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe |
| PID 560 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe |
| PID 560 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe | C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe
"C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe"
C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe
C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 114.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/560-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/560-1-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/560-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8c97c2d1349936dcba035061d4085478.exe
| MD5 | 734b92e2a7942f48a1722e54ef257a71 |
| SHA1 | e5d91a36ba33e8e878bc8a30f38f785f7571681b |
| SHA256 | 24bb240ac37ebbf44684df6ecdd126a8336396382949366db812dcd98cf58849 |
| SHA512 | b2df55e405a52cd86671300b408353cc9d8c8ca8824cd3dd46efc0b7f1e7a6cd6629bf36b8ccf46981e1ef391cac5bf64bd339275776b4d8a3594cf7076cd474 |
memory/560-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2436-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2436-14-0x0000000001D30000-0x0000000001E63000-memory.dmp
memory/2436-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2436-20-0x0000000005630000-0x000000000585A000-memory.dmp
memory/2436-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2436-28-0x0000000000400000-0x00000000008EF000-memory.dmp