Analysis Overview
SHA256
ce3391bd967d6b855e26ccadda344630a09698a586d4880ae38100001d25c332
Threat Level: Known bad
The file 9870cb5147bf608fc2854c9f88d5b865 was found to be: Known bad.
Malicious Activity Summary
Gozi family
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-13 04:10
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-13 04:10
Reported
2024-02-13 04:13
Platform
win7-20231215-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe |
| PID 2916 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe |
| PID 2916 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe |
| PID 2916 wrote to memory of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe
"C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe"
C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe
C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | cli.re | udp |
| US | 172.67.220.142:80 | cli.re | tcp |
Files
memory/2916-0-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2916-1-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/2916-2-0x0000000001A60000-0x0000000001B72000-memory.dmp
\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe
| MD5 | 6b7fe3ed873b036b0c0bb5a862bf3e40 |
| SHA1 | b04ca5d434e239fe8d89bc55f3f3a5037e62bce3 |
| SHA256 | c28f090dfedad37db67498ee033d7e32a37bffbde51046cabca5cf186f357597 |
| SHA512 | ee6ac51f5ba7a0f2f0a483d54fce4c52bf39ebfa3b32c566cbb763ed75d633e9b0d871fd1e730628a4cadc7fcbe700dc07dac830a630092245bdc4d0b23167fa |
C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe
| MD5 | 03d048713d4777a5a88a6287a8293d90 |
| SHA1 | daf0487fb4ed92792edce6e1785f11d1b059d725 |
| SHA256 | c65d4787f41059f526dce4cf0073971a14f8616114a49103da3549594ae82c9e |
| SHA512 | 95af50c30edd30a19b34f466dfb526199e30222221f4fe88d2ff17da331ee7b53bca095570662516943d423559f600feef77c5731bc2ea5c52f19268089fa62f |
memory/2916-16-0x0000000004690000-0x0000000004AFA000-memory.dmp
memory/2916-14-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/2660-17-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/2660-18-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2660-20-0x0000000000270000-0x0000000000382000-memory.dmp
memory/2916-25-0x0000000004690000-0x0000000004AFA000-memory.dmp
memory/2660-26-0x0000000000400000-0x000000000086A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-13 04:10
Reported
2024-02-13 04:13
Platform
win10v2004-20231215-en
Max time kernel
138s
Max time network
145s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1088 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe |
| PID 1088 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe |
| PID 1088 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe | C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe
"C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe"
C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe
C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | 114.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/1088-0-0x0000000000400000-0x000000000086A000-memory.dmp
memory/1088-1-0x0000000001C90000-0x0000000001DA2000-memory.dmp
memory/1088-2-0x0000000000400000-0x00000000005F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9870cb5147bf608fc2854c9f88d5b865.exe
| MD5 | 124c1f2fe4e759abb96b104475eb051c |
| SHA1 | 6fbacf21091545fa986072f3270a0e3dc8bd76e5 |
| SHA256 | 9581607b591603d3e62c3a38a30500b5a3190f74a7389f7c647858f1584314f9 |
| SHA512 | 21c6fbee041a49c4305b0eefc3413a423a6b8eeaf98e4c1f4bc711bdfc629a8b242673bed6fe742da3c098e9566661720844cce8b33716d1c52839b925f68992 |
memory/1088-13-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/2104-14-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2104-16-0x0000000001C40000-0x0000000001D52000-memory.dmp
memory/2104-15-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/2104-23-0x0000000000400000-0x000000000086A000-memory.dmp