Analysis Overview
SHA256
9672b089216f36b4744f0e31107195350b0a186d6f8b43448d8a1fd6704ed97c
Threat Level: Known bad
The file 95db37424fd3430ffb0c4a60d9a1746f was found to be: Known bad.
Malicious Activity Summary
Gozi family
UPX packed file
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-12 01:10
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-12 01:10
Reported
2024-02-12 01:13
Platform
win7-20231215-en
Max time kernel
117s
Max time network
126s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe |
| PID 3048 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe |
| PID 3048 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe |
| PID 3048 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe
"C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe"
C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe
C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/3048-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3048-2-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/3048-1-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe
| MD5 | 040a4fe66a5fa2c8693c66c11176b325 |
| SHA1 | 686aa868f43022c37758f2944f8d69bfbf7feca5 |
| SHA256 | a8f531c13a301496fcce71a137c16d0f46c0c37d037b7e423f3d730461693727 |
| SHA512 | 3a6bca8cd5daba9dcaef178124ea3c3f2a6f9f6b8727c26ba88d6bf0ad157b4f0f40826e3aea8a7b0b2e5081146d7f80b0bf644819b2688b7320fdc5d3bfb7cf |
C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe
| MD5 | 0b8a2dc9d6ac2e2de98c1ac5c82dfd91 |
| SHA1 | 2ba6a006e207b02d863f14a0fad572d5678889f8 |
| SHA256 | e2aabb77bbb71fbcae9c4f2faaa50a3122e2d5444383f7233f938e33a2b0ad53 |
| SHA512 | d6f0881a4a3b55c0b73de0d7a93c6e4f017ba25f37c44ae8013d661bd0165c8f2c348fba3966a85c740b78448b35a52b85c692ffc1b393b092b47131ac568e50 |
memory/3048-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3048-15-0x00000000037F0000-0x0000000003CDF000-memory.dmp
\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe
| MD5 | 9a71985052ffcecaf8e24d1a2b3c1643 |
| SHA1 | facba0fb7f35820ee5565cf593eec304fdf76d57 |
| SHA256 | 66dc188c0d782375e865ace1e65420350bcfe63d40fb6a188f770c9129fbfb74 |
| SHA512 | 39beb1afe988b34511285ac771be7435c5d3bedbbea80c8121dc4612e92848d1b3cd35ef9f92b304526089c801c1894b0bd089217812c0c8dab142f93e3ffb98 |
memory/2380-17-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2380-18-0x00000000002C0000-0x00000000003F3000-memory.dmp
memory/2380-16-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2380-25-0x0000000003550000-0x000000000377A000-memory.dmp
memory/2380-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2380-31-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-12 01:10
Reported
2024-02-12 01:13
Platform
win10v2004-20231215-en
Max time kernel
93s
Max time network
140s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4024 wrote to memory of 3400 | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe |
| PID 4024 wrote to memory of 3400 | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe |
| PID 4024 wrote to memory of 3400 | N/A | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe | C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe
"C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe"
C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe
C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
memory/4024-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/4024-1-0x0000000001C70000-0x0000000001DA3000-memory.dmp
memory/4024-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\95db37424fd3430ffb0c4a60d9a1746f.exe
| MD5 | 51d94b6a220a347d5154dd3ee18819a2 |
| SHA1 | a7ac9a2268ce0850357db2a67e1feb937566f533 |
| SHA256 | 2afdf33da24e21e1012b4c8b512edae5565a37c9e62cfdc5c492a2688bccd6ec |
| SHA512 | 50c8c93b4e92100f01df4c43dcd4aeb31360b4619095ef6170e90286e22de2b73d0a7144993dc6104faaa6d172ff269ede38b79042f9f87157b2aadae8c8b290 |
memory/4024-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3400-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3400-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3400-14-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/3400-20-0x0000000005690000-0x00000000058BA000-memory.dmp
memory/3400-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/3400-28-0x0000000000400000-0x00000000008EF000-memory.dmp