Analysis Overview
SHA256
026e7311280d3c6a06a979ae465de42a8b7cd99e0b0ac7d6e11eb071b441b56b
Threat Level: Known bad
The file 94463c7bd67b1478fd80bc2b5e7ae2ae was found to be: Known bad.
Malicious Activity Summary
Gozi family
UPX packed file
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-06 08:37
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-06 08:37
Reported
2024-02-06 08:40
Platform
win7-20231215-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3032 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe |
| PID 3032 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe |
| PID 3032 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe |
| PID 3032 wrote to memory of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe
"C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe"
C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe
C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/3032-0-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/3032-1-0x0000000000280000-0x00000000003B1000-memory.dmp
memory/3032-2-0x0000000000400000-0x0000000000622000-memory.dmp
\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe
| MD5 | f5203311d848310bc6303ed1fec84a11 |
| SHA1 | 2c85bda0054ad5eae489a58cea7ad52184904bbf |
| SHA256 | 38c4befff0c635709f2c7a8a2978a060a2ebea91f71d92887775d487a4d250af |
| SHA512 | 6d8c621d2df49a568ea598305dc043f3bb2b6de3cb29d8553e77c5d66cf2b07ad78b74ba8b42e0429926cac296958c0e27d690fccb5d2bb19a5bbaf71adf8eea |
C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe
| MD5 | 520d9f14863254b2a361107670850b89 |
| SHA1 | c6f8f7b72c1aaa230a5e8b4616e9f0139e9607e7 |
| SHA256 | 14f733791555d87b8f06680beb690483352427a7e1642548253b48258ba75a72 |
| SHA512 | 6e0661d4c29f755827b9bd7cb254d347effbf634e1efb8d436e186c280c5806daa5b2d42c94081d230bd29f75aefd4e4cfd423af64f2f5e8e274960f3ce35492 |
memory/3032-18-0x0000000000400000-0x0000000000622000-memory.dmp
memory/2840-17-0x0000000001B10000-0x0000000001C41000-memory.dmp
memory/2840-21-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/2840-16-0x0000000000400000-0x0000000000622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe
| MD5 | bdb6677e10bd571204fef064c552c1da |
| SHA1 | 997c2ad89279da8b1ba6fd605937a386a56d0f7f |
| SHA256 | a83c39994bf65b3ec2465998a52a321ca2c9703387f6453b1a62a032896e0d8f |
| SHA512 | 604f3f232c6726264e96b6577db9cdf69ba69ee284dd6e09f831ec656cae141f632ad1f68c867fa7751d67d068e5abdbd38819bc11e17341c2ce488e3f9a5303 |
memory/3032-14-0x0000000003860000-0x0000000003D47000-memory.dmp
memory/2840-25-0x00000000033F0000-0x0000000003612000-memory.dmp
memory/2840-24-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2840-32-0x0000000000400000-0x00000000008E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-06 08:37
Reported
2024-02-06 08:40
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
125s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 544 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe |
| PID 544 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe |
| PID 544 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe | C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe
"C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe"
C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe
C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
Files
memory/544-0-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/544-2-0x0000000000400000-0x0000000000622000-memory.dmp
memory/544-1-0x00000000018F0000-0x0000000001A21000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94463c7bd67b1478fd80bc2b5e7ae2ae.exe
| MD5 | 1e3141f061ddf31fe9f8ecbeeb0abc6d |
| SHA1 | 9eef4bdedf7ca229a9675066cb80efbc1020d1de |
| SHA256 | 17f93d492bad1af02aaa62069283828cb1f80ee113091e60443af50c68af43dc |
| SHA512 | 16c58ef15381434b485772bc214a28700d78eb6f60809d9514bb2140c731f12e70406836d443fcc437c906d9632ba017b3057766aba8057e17d5fd9ed0bbd74b |
memory/544-12-0x0000000000400000-0x0000000000622000-memory.dmp
memory/220-13-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/220-16-0x00000000018F0000-0x0000000001A21000-memory.dmp
memory/220-21-0x0000000000400000-0x0000000000616000-memory.dmp
memory/220-20-0x0000000005550000-0x0000000005772000-memory.dmp
memory/220-28-0x0000000000400000-0x00000000008E7000-memory.dmp