Analysis Overview
SHA256
d5ca776c15dfec6e77bea6489f12c012f2d40a56dfa5e1f1ab3c9bc7515dec8e
Threat Level: Known bad
The file 94b7c515d1c9edc9bfe0c0980021cc17 was found to be: Known bad.
Malicious Activity Summary
Gozi
UPX packed file
Executes dropped EXE
Deletes itself
Loads dropped DLL
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-06 14:17
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-06 14:17
Reported
2024-02-06 14:26
Platform
win7-20231215-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1020 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe |
| PID 1020 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe |
| PID 1020 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe |
| PID 1020 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe
"C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe"
C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe
C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
Files
memory/1020-1-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1020-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1020-4-0x0000000000130000-0x0000000000263000-memory.dmp
\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe
| MD5 | cab622fe429215368531767027017b13 |
| SHA1 | dff02424c539a18a9318bd59ceac78b68171258b |
| SHA256 | cab899f2320132ca5b685b0e8a485848c36d0aa1e0507bfde283d74be10668f2 |
| SHA512 | d305f6336025c51598277c6298e4d7ea1834ab0f03eab1fd2745cbbe4ca677ab6bdb81d70546aae6b53fd7db6b495fa42ba5a45ee223651fb9a6ca88342975ce |
memory/1020-14-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe
| MD5 | 02db906e915a9121f33eea49e10aec5f |
| SHA1 | 6cd7d9bfe4ca0f2edbea994e950b88d788316993 |
| SHA256 | b662e8b5890c7ccf5a899bb1fa17a717f722b58d3df14ccdd8ea147f5dbb47a6 |
| SHA512 | 5466a5a417bd9b054e5029eb037a7b1a42cf1ba77bf29eda38c8487c33f70ee0f07c01c7278220550d241ed84b85421fc54c5ba5f5e1703c86903c34e9a9b416 |
memory/1020-15-0x0000000003530000-0x0000000003A1F000-memory.dmp
memory/2784-16-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2784-18-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2784-20-0x0000000000130000-0x0000000000263000-memory.dmp
memory/2784-24-0x0000000003410000-0x000000000363A000-memory.dmp
memory/2784-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/1020-31-0x0000000003530000-0x0000000003A1F000-memory.dmp
memory/2784-32-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-06 14:17
Reported
2024-02-06 14:27
Platform
win10v2004-20231222-en
Max time kernel
145s
Max time network
158s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5092 wrote to memory of 3324 | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe |
| PID 5092 wrote to memory of 3324 | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe |
| PID 5092 wrote to memory of 3324 | N/A | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe | C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe
"C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe"
C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe
C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
memory/5092-1-0x0000000001C30000-0x0000000001D63000-memory.dmp
memory/5092-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/5092-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\94b7c515d1c9edc9bfe0c0980021cc17.exe
| MD5 | 9a4eca23f4046b7906608cc2d48a9d48 |
| SHA1 | 3e7cdf59d9e66ab884a137999f14cdfa7ee657c3 |
| SHA256 | b1a47750c0f04e225589b58ef8b7a24a998f8d34cf7047e962b33274ea7bce24 |
| SHA512 | 8fb76eb09d508f563064781c8b8722b0a5a3d4dfcf43020301c82b2c9812658c8f09715d1cc135ea6f4e16ff5dc9a2fba7453ab8c24c9ec3fdd9009332cd1d48 |
memory/5092-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3324-16-0x0000000001DD0000-0x0000000001F03000-memory.dmp
memory/3324-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3324-20-0x0000000000400000-0x000000000061D000-memory.dmp
memory/3324-22-0x00000000056D0000-0x00000000058FA000-memory.dmp
memory/3324-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3324-28-0x0000000000400000-0x00000000008EF000-memory.dmp