Analysis Overview
SHA256
547f1d26fb48ddfe7804fce88ff4480776c1ec83e5e6279514996c2e0405210b
Threat Level: Known bad
The file 96f6737e503c59e21fb20a6d52a571be was found to be: Known bad.
Malicious Activity Summary
Gozi
Deletes itself
UPX packed file
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-12 10:43
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-12 10:43
Reported
2024-02-12 10:45
Platform
win7-20231215-en
Max time kernel
117s
Max time network
127s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1340 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe |
| PID 1340 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe |
| PID 1340 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe |
| PID 1340 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe
"C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe"
C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe
C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/1340-0-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/1340-1-0x0000000000400000-0x0000000000622000-memory.dmp
memory/1340-3-0x0000000001B10000-0x0000000001C41000-memory.dmp
\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe
| MD5 | 3df1c2578681ce3543e3f2648ee33f60 |
| SHA1 | 204793efcc0e3318a2dc58527688ea7c700f2b16 |
| SHA256 | 0087fb172ca088bb69e60eda8e68743b3f0ef006244be33eefa569b0371d4816 |
| SHA512 | 02c98d7ae6b18067dbc08ce0fea00703cda572dca92c9e7255ad34e2b6a789eb516a8459acd8accf97a289c223f36b4e519f217230d5ac7767f782de3a7c2e91 |
C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe
| MD5 | 7aafe619375a91e34e20db38917d8d5b |
| SHA1 | 6cc0654be613ff4ca47ee7e539e6123fdf37b396 |
| SHA256 | 11df256d3504da14db24262e1d6e7767a70cd7d4e252bf599acd463c0f072c7e |
| SHA512 | a3ca270c284c264db16a62db581bc3c45e8990b0166cfcb5ce56d75a91f31a867b780b2d86ebf19342160f791b4301e715e28269f86b0032df26afa65a308531 |
memory/2940-16-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/1340-14-0x0000000003E30000-0x0000000004317000-memory.dmp
memory/1340-13-0x0000000000400000-0x0000000000622000-memory.dmp
memory/2940-18-0x0000000001B10000-0x0000000001C41000-memory.dmp
memory/2940-17-0x0000000000400000-0x0000000000622000-memory.dmp
memory/2940-23-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2940-25-0x00000000033F0000-0x0000000003612000-memory.dmp
memory/1340-31-0x0000000003E30000-0x0000000004317000-memory.dmp
memory/2940-32-0x0000000000400000-0x00000000008E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-12 10:43
Reported
2024-02-12 10:45
Platform
win10v2004-20231215-en
Max time kernel
140s
Max time network
146s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4280 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe |
| PID 4280 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe |
| PID 4280 wrote to memory of 3248 | N/A | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe | C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe
"C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe"
C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe
C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
Files
memory/4280-0-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/4280-1-0x00000000018F0000-0x0000000001A21000-memory.dmp
memory/4280-2-0x0000000000400000-0x0000000000622000-memory.dmp
memory/4280-13-0x0000000000400000-0x0000000000622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\96f6737e503c59e21fb20a6d52a571be.exe
| MD5 | 60fc94b25e54ad2178a19841573c9ea7 |
| SHA1 | 7a2e7f8ce6863adf4480b391d0be1d4d79d9c301 |
| SHA256 | 5407bdf40099951e54b2cf87548c9b9695cfd4676e43ada4f9e2efffa7c8d436 |
| SHA512 | 1332388f227c09a0b67a9b5527dcb89b7143b8b3477008706a12891a758c10259832f4df9be71139f6612fb32bc785546021878adc6e467c111999ffd0ddafe3 |
memory/3248-14-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/3248-16-0x0000000000400000-0x0000000000622000-memory.dmp
memory/3248-15-0x0000000001CD0000-0x0000000001E01000-memory.dmp
memory/3248-21-0x00000000055C0000-0x00000000057E2000-memory.dmp
memory/3248-22-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3248-29-0x0000000000400000-0x00000000008E7000-memory.dmp