Analysis Overview
SHA256
6a4b9be261ece2991aab2c3513e9f80b5877baf30e4ff3f0c7fc871fc87bc61f
Threat Level: Known bad
The file 8ce04c1b7657b765eb9bd1fa9a7a8372 was found to be: Known bad.
Malicious Activity Summary
Gozi
Executes dropped EXE
Deletes itself
Loads dropped DLL
UPX packed file
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-03 17:08
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-03 17:08
Reported
2024-02-03 17:11
Platform
win7-20231129-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe |
| PID 2220 wrote to memory of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe |
| PID 2220 wrote to memory of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe |
| PID 2220 wrote to memory of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe
"C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe"
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2220-1-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2220-0-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2220-3-0x0000000000130000-0x0000000000263000-memory.dmp
\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe
| MD5 | 56c7a81c9f8ce2ec4ba125125c6cec0f |
| SHA1 | f52fd4854e91d1d99551e040a1fb662750fca58b |
| SHA256 | c436350e4a9fa32fc9a712ad151ebdd965d7582ed77d9affdde7adfeace5b4be |
| SHA512 | e47bf1acb952e6ece52d6d8bc1f4bd39ff9cdf5fb9d4ec9ffdd984180c9ce1f6b42a63341017a55320cada1b4d4239d903693eb4567a535571a928c9cdea0281 |
memory/2220-15-0x00000000037E0000-0x0000000003CCF000-memory.dmp
memory/2220-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2352-17-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/2352-22-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2352-24-0x0000000003410000-0x000000000363A000-memory.dmp
memory/2352-16-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe
| MD5 | a322d39d10430f877741a6667ee5a63d |
| SHA1 | 999ba09295b3922ab81e12f8bc51e334a574bba1 |
| SHA256 | c3ee8e04aebafe60f6b2e0722fb29bda09db62109c1548655198641f04b141e2 |
| SHA512 | bf24fe9da8d58b5dcaed292569e091347a213861d38e4b72c32027a60456b9ee21869103ea23c13bf6e9e1d66661a4824e9f5ec9a0df0b3fd1f7f7851d6fab7a |
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe
| MD5 | ef6bc13be4e564614bdc9d6c48f2cf9e |
| SHA1 | 1ca4802d38ff94a25c3e34096b7fdd817fdcec98 |
| SHA256 | d468c37fbb578abd65b10147ac795049deccceb6c90d699a1a70b4be6dd0bfeb |
| SHA512 | 3f2d8524ac7999098e52656664022d8c419d5e6f9787564506d5de8a4efde47c49d3f96e44f619bbd3d4fff847d1c5220bd57e7bee64686ffc812aa82ab1a33d |
memory/2220-30-0x00000000037E0000-0x0000000003CCF000-memory.dmp
memory/2352-31-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-03 17:08
Reported
2024-02-03 17:11
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
121s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2200 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe |
| PID 2200 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe |
| PID 2200 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe | C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe
"C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe"
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
Files
memory/2200-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2200-2-0x0000000001D10000-0x0000000001E43000-memory.dmp
memory/2200-1-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2200-12-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8ce04c1b7657b765eb9bd1fa9a7a8372.exe
| MD5 | a349f110bc4c321582e863f3f808ec8e |
| SHA1 | c0603a3c7672a1b81d252064ed669ff689bfbd09 |
| SHA256 | b06f479d36b8ab8d82742001b1eabeccd67dee472b48bcfbadc1d0dcd0db7b34 |
| SHA512 | 05eec7329d769aa8c265634c7b278416bebf98f8bdf21c4da6a66737059a459f97cfaafa0a9b71cda42826522d54038d00d13b19dc74439c1f5b61aedee9d110 |
memory/2696-14-0x0000000001D20000-0x0000000001E53000-memory.dmp
memory/2696-16-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2696-20-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2696-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2696-22-0x0000000005620000-0x000000000584A000-memory.dmp
memory/2696-28-0x0000000000400000-0x00000000008EF000-memory.dmp