Analysis Overview
SHA256
61a60f637baad4c61f7fccde7c22e591c90e1b9af270e9d0e1608c1b4931f0e1
Threat Level: Known bad
The file 98e2a9a5e0c84e21cfb7c7755ef6494a was found to be: Known bad.
Malicious Activity Summary
Gozi
Deletes itself
UPX packed file
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-13 07:56
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-13 07:56
Reported
2024-02-13 07:59
Platform
win7-20231215-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2212 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe |
| PID 2212 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe |
| PID 2212 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe |
| PID 2212 wrote to memory of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe
"C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe"
C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe
C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2212-1-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2212-0-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2212-3-0x0000000000130000-0x0000000000263000-memory.dmp
\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe
| MD5 | 058bdca85cbe60be74ef4927baa0c316 |
| SHA1 | 9ee359f9284224cf0923e6eb4a0851367c371182 |
| SHA256 | 2ff8079d0ee46d3c1639f36cf8b8c15e943f37e7456fdcc8668eeb1378a1051c |
| SHA512 | 9b81835515280056d73b99676a69a2176d33ee67695dd7cff9507370746493d3ad0d8b8d56b09a4e85ed411289a4b2bddb70d66d657d462d7e2ae4158f3f4b41 |
memory/2212-15-0x0000000003BB0000-0x000000000409F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe
| MD5 | 03f0bb00e3303e543458de571ee900a4 |
| SHA1 | 5b84453d1b8c29ad8130ec20cafb6482c27b73d6 |
| SHA256 | 488308d1b767e5fa75898162a8e7c52b347d3ddda0ef783bd1a43d91402b046e |
| SHA512 | 76e0ad54b160784f54f4d84e74a2f29e79db88d123551130b6781d772ca026e6df2e43e41d271108210a0540da337f1b57d90a13300ba1d3ed5dfe0f06fc9881 |
memory/2212-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2704-16-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2704-17-0x0000000001B20000-0x0000000001C53000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe
| MD5 | 6bfebbe01d416eebf1509b2c08883cd0 |
| SHA1 | 4830ff8933febd422a335b018b6657e927b102ce |
| SHA256 | 9e8110af08dc817c54ed6bb27db37f03a3127d3a3c84bcd82074910a711dfe40 |
| SHA512 | 24389272be3fc32eb5d26da51024fa1b576ae846bbe445669acf97e31391e0e706e07e5ffc40917d33dca3ff1f9fe0899c3c617d13b2990c06fc7539774f5815 |
memory/2704-18-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2704-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2704-24-0x0000000003410000-0x000000000363A000-memory.dmp
memory/2212-31-0x0000000003BB0000-0x000000000409F000-memory.dmp
memory/2704-32-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-13 07:56
Reported
2024-02-13 07:59
Platform
win10v2004-20231215-en
Max time kernel
134s
Max time network
148s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2644 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe |
| PID 2644 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe |
| PID 2644 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe | C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe
"C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe"
C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe
C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 114.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.141.79.40.in-addr.arpa | udp |
Files
memory/2644-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2644-1-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/2644-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\98e2a9a5e0c84e21cfb7c7755ef6494a.exe
| MD5 | 898be1bf8e38784e24fb104e628efed5 |
| SHA1 | 71fc7ddc47c6b3acc6c5c5fe77cbab57998782aa |
| SHA256 | eaaf76998e29c56419d8ad1b896714914be76e832c830c08de2d7b351246ee74 |
| SHA512 | 1966cd0889584e96f747869ce7901b617779d06829fe1ef9e0a3c95f980833c118402428bf684b0bdde374a4d2da00cc736de98521802e8993f6750408d34728 |
memory/2644-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1804-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1804-14-0x0000000001CD0000-0x0000000001E03000-memory.dmp
memory/1804-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1804-20-0x00000000055D0000-0x00000000057FA000-memory.dmp
memory/1804-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/1804-28-0x0000000000400000-0x00000000008EF000-memory.dmp