Analysis Overview
SHA256
90d4c0161bf9476c744e48643f782306e38e832a0dec793e60be2f5442a9763d
Threat Level: Known bad
The file 95be18d77580bcc6a619e07fdbaa612e was found to be: Known bad.
Malicious Activity Summary
Gozi
Deletes itself
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-12 00:14
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-12 00:14
Reported
2024-02-12 00:17
Platform
win10v2004-20231215-en
Max time kernel
140s
Max time network
156s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1284 wrote to memory of 4284 | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe |
| PID 1284 wrote to memory of 4284 | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe |
| PID 1284 wrote to memory of 4284 | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe
"C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe"
C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe
C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/1284-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1284-1-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/1284-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe
| MD5 | 2e8e5cacd8efc76dcae5eb57325c58d9 |
| SHA1 | 9d27c28d1feb4d045e233dcf958663fa2c5327bc |
| SHA256 | 3a33c312a1b7a4d3d6fcb37d2cc7e8ba6e85abbd0b668e39f526ec4550819717 |
| SHA512 | 0d12b5676b663a9fdfc5c228729c3e458d26a95dc065dda02d9c3ccced8d992339408c4ddb846e89caeef01b98c53f77f79474c1e8bccf078c6cb6fbe769af96 |
memory/1284-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/4284-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/4284-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/4284-15-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/4284-20-0x0000000005560000-0x000000000578A000-memory.dmp
memory/4284-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/4284-28-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-12 00:14
Reported
2024-02-12 00:16
Platform
win7-20231215-en
Max time kernel
117s
Max time network
126s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2372 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe |
| PID 2372 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe |
| PID 2372 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe |
| PID 2372 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe | C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe
"C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe"
C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe
C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
Files
memory/2372-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2372-2-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/2372-1-0x0000000000400000-0x000000000062A000-memory.dmp
\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe
| MD5 | 669a3a1bf559a6e2e3c82d1e61372c66 |
| SHA1 | 6009c25ff67eb8ae2d52413f0f9599d98cbe6d5f |
| SHA256 | e3c82738b54e94688564465b1cd2966e23c2eb6af67bf47159a00e49dd835485 |
| SHA512 | e34c5d48a696381d18b2d4182b0085fb859fadb448844938f1544dd385f53e82b401d00888c62210acb53838bfab14ba6f76432643f98576a46cb15842378fa3 |
C:\Users\Admin\AppData\Local\Temp\95be18d77580bcc6a619e07fdbaa612e.exe
| MD5 | bf7bac9605b05c6bd836392e39958d30 |
| SHA1 | 64c810e0ff4ab6bf1eb2e6a55c9d6b811905e110 |
| SHA256 | ebdd5893e61c231efa3a3bc2ee630d3c485dbab7377df2f9fc11ff7236fa394e |
| SHA512 | 60e0fcd5e97c08c6e1fb82407c4028de584ea9eb4d0b1ce938616c2cc14e48ddff53d1a1635ca0444a8399e7438ef038d286931a78f0e36551766cac303e6008 |
memory/2372-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2704-16-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2704-18-0x0000000000230000-0x0000000000363000-memory.dmp
memory/2704-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2704-22-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2704-23-0x00000000034C0000-0x00000000036EA000-memory.dmp
memory/2704-30-0x0000000000400000-0x00000000008EF000-memory.dmp