Analysis Overview
SHA256
b575502c207ba5c7cfa96f4f8d7fe5d3a6b9d3423a07599dad003abd5fc91623
Threat Level: Known bad
The file 96171198667f338c9b6a448410f3dbcc was found to be: Known bad.
Malicious Activity Summary
Gozi family
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-12 03:09
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-12 03:09
Reported
2024-02-12 03:12
Platform
win7-20231129-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1752 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe |
| PID 1752 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe |
| PID 1752 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe |
| PID 1752 wrote to memory of 3000 | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe
"C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe"
C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe
C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
Files
memory/1752-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1752-1-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/1752-2-0x0000000000400000-0x000000000062A000-memory.dmp
\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe
| MD5 | 2feccc195369f5aec10b03c5e7fbde7b |
| SHA1 | 8d27eea18f4fd523881ebe6c4fa8a4e3bab6e801 |
| SHA256 | 5d5eb54589b91a97ee7ec64e22a66e9eb20956a50c86ceed8595b659fa3d6092 |
| SHA512 | 7ec1bea4d150756eb0571f9a4369ae7d77e937420b5976b1f5d0755b3745d824234a88f9d971bc121c932094900a53e025d59c6e14beda5ff465be750deec83f |
memory/1752-14-0x0000000003770000-0x0000000003C5F000-memory.dmp
memory/3000-16-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3000-18-0x0000000000400000-0x00000000008EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe
| MD5 | 16e95fe3bba41850a8e30abf0695dbaf |
| SHA1 | b22b9ccbef42845f1a7c71dcd66efb4288d5cdc1 |
| SHA256 | 8ec26f513b6653e96f3938647a9ec817481e0e4193411e2f6322e715c2b482b9 |
| SHA512 | f5c63129794818d6b4f61c37438d79c32b9c9e6d3429dcbadb496ba8d1b077ddc1f4c5f7bb34caba1a15b7352b5baa61375aa8dd0ffa368e11a7aedeedc8d3b3 |
memory/3000-20-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/1752-13-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe
| MD5 | 0713a7a59b9d761e83f332206b43bded |
| SHA1 | 5ae760da8665097766e89cd2005374c2fce76370 |
| SHA256 | fd7748bc553ba107e22ec6ae62225637657905c970a555486a405742931ebfb3 |
| SHA512 | 803964c4fd0459b6ddaeafaeb24fd44e6aa56df897a11f2cf663ee7366bee070f5b8d43a53fdc41e2df547c380dc02f43eb2c88f62e91e663bcee88b73e831fe |
memory/3000-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/3000-25-0x00000000035A0000-0x00000000037CA000-memory.dmp
memory/1752-31-0x0000000003770000-0x0000000003C5F000-memory.dmp
memory/3000-32-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-12 03:09
Reported
2024-02-12 03:13
Platform
win10v2004-20231215-en
Max time kernel
123s
Max time network
181s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3548 wrote to memory of 3228 | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe |
| PID 3548 wrote to memory of 3228 | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe |
| PID 3548 wrote to memory of 3228 | N/A | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe | C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe
"C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe"
C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe
C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 114.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/3548-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3548-1-0x0000000001D10000-0x0000000001E43000-memory.dmp
memory/3548-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\96171198667f338c9b6a448410f3dbcc.exe
| MD5 | 65c45fedd1870ca2ea0d98133c343b50 |
| SHA1 | c8f033c45bff4d281f0c1405aedc3f4545ae5d30 |
| SHA256 | ad18dc75065ab4f9a269a71f684ac9ba3abb170de78ec532fec08044bfc8fc59 |
| SHA512 | ca54773d836669f519413093eb12918ad0d9da9ab2ee91e5eba4ed1355b3e6de5d9ad44d24d2d424f279b07b6e687c1aa63a8712441617426ccf9a838f7e8c85 |
memory/3548-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3228-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3228-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3228-15-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/3228-20-0x0000000005580000-0x00000000057AA000-memory.dmp
memory/3228-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/3228-28-0x0000000000400000-0x00000000008EF000-memory.dmp