Analysis Overview
SHA256
eccded5bae97d375cb00523238d3d688df33fe1fccdcd9e1af0973f2fdd3f6fa
Threat Level: Known bad
The file 960fa5935476e6fce5542912c57e4301 was found to be: Known bad.
Malicious Activity Summary
Gozi
UPX packed file
Loads dropped DLL
Deletes itself
Executes dropped EXE
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-12 02:56
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-12 02:56
Reported
2024-02-12 02:59
Platform
win10v2004-20231222-en
Max time kernel
91s
Max time network
124s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3604 wrote to memory of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe |
| PID 3604 wrote to memory of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe |
| PID 3604 wrote to memory of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
"C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe"
C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/3604-0-0x0000000000400000-0x000000000086A000-memory.dmp
memory/3604-1-0x0000000001CC0000-0x0000000001DD2000-memory.dmp
memory/3604-2-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/3604-13-0x0000000000400000-0x00000000005F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
| MD5 | 04fb2af169bebeaae6af51d2adfad125 |
| SHA1 | 75914527bb6869159bb2fdaf80325d5094121b1c |
| SHA256 | e30c22bc8ba32d9943f8339a2c0489489614f6b99a61263ca9a6bd1dac33b01f |
| SHA512 | 9c3ad3d031ed7ed2f4c037f25d547035bb57a9aa229fe82fd65ec6631a10be83ef2c08e074ae3a45f60878b99f81f99229f9174aa0b16dfb87afc2b1bf31b048 |
memory/8-15-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/8-17-0x0000000001C60000-0x0000000001D72000-memory.dmp
memory/8-14-0x0000000000400000-0x000000000086A000-memory.dmp
memory/8-23-0x0000000000400000-0x000000000086A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-12 02:56
Reported
2024-02-12 02:59
Platform
win7-20231129-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2972 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe |
| PID 2972 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe |
| PID 2972 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe |
| PID 2972 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe | C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
"C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2972-0-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2972-2-0x0000000001A60000-0x0000000001B72000-memory.dmp
\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
| MD5 | efb096fceb426b856fbd1cc75281d763 |
| SHA1 | 7bc3c372f7915575fe962249beac66ef00fba897 |
| SHA256 | d7c6351d6511a78f11eee86465ac4f5a8b0acb3c34190dd37f4097f0f90e5033 |
| SHA512 | 6a66124841ff3790f75ad97326ae2a4cd8f525176877e45a90b54bbb4b99f60ffb629ae844cbacb9ef713f9239afbfd1978ab9f661d1924c0b25465a40aeaae5 |
C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
| MD5 | 1733bff9d0634f1063fe87495d8fce18 |
| SHA1 | 272d173649dcfe190b619bc6bfedbb006651e160 |
| SHA256 | 46a9cc13c2b1c61a30999919072f0540b881b30800391f9652e20b774424ce88 |
| SHA512 | f8d587abf4f7592d7a0aa123c575baf3935311f0406fea65b4bfa4049d424beee7a2fd6beb96352e57d4e99a7bde58f1c96499cff54d7f439b2aee234b0a6a09 |
memory/2972-15-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/3008-17-0x0000000000270000-0x0000000000382000-memory.dmp
memory/3008-19-0x0000000000400000-0x000000000086A000-memory.dmp
memory/3008-16-0x0000000000400000-0x00000000005F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\960fa5935476e6fce5542912c57e4301.exe
| MD5 | 3326c51f102158ae50fab09194f2bcd4 |
| SHA1 | d97d96ed04563cce1b7459abf3fadfd2349e096d |
| SHA256 | 63ed041fd56a5ef2bdfc99a857e6c50fe6fb8ab0c002d2bb810fb86d362258c3 |
| SHA512 | 3f9d35cacdc32201c686650f4dbd05cc6127f5f4eb889a57433f55395d12a6d6b95c0ed3ea8fb8362690bc9a2b05167e4f153a76b7d85a0ffdf36db9cb2ada56 |
memory/2972-1-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/3008-25-0x0000000000400000-0x000000000086A000-memory.dmp