Analysis Overview
SHA256
7f4d6a21e0166484ccbc09b1428a22e2abf942edec6f2881485e0a31515af138
Threat Level: Known bad
The file 9bcd713201d89ff4cfcc2e72356606f7 was found to be: Known bad.
Malicious Activity Summary
Gozi
UPX packed file
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-14 13:30
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-14 13:30
Reported
2024-02-14 13:33
Platform
win7-20231129-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2964 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe |
| PID 2964 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe |
| PID 2964 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe |
| PID 2964 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe
"C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe"
C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe
C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
Files
memory/2964-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2964-2-0x0000000000130000-0x0000000000263000-memory.dmp
memory/2964-1-0x0000000000400000-0x000000000062A000-memory.dmp
\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe
| MD5 | b0aabd74de912a2c3137da7f8a0ccd96 |
| SHA1 | 3f10922bff39c406d0848c2d62df6c8c0dbad18f |
| SHA256 | 02b27f5ce9b75aef45d4ca46f0a6e9a1895ada1ceb49537322ea49873e4e547d |
| SHA512 | 862232f5c2fac15bba4019b473b005818021fcf487dcb6f320a6d810c8a4d3a2d3369e7dfcdf14d4fffaa826fdc51b4e161bb16e5afc585af579ec896c217869 |
memory/2964-15-0x0000000003990000-0x0000000003E7F000-memory.dmp
memory/2964-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2992-16-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2992-17-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2992-19-0x0000000000290000-0x00000000003C3000-memory.dmp
memory/2992-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2992-24-0x0000000003520000-0x000000000374A000-memory.dmp
memory/2964-31-0x0000000003990000-0x0000000003E7F000-memory.dmp
memory/2992-32-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-14 13:30
Reported
2024-02-14 13:33
Platform
win10v2004-20231222-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 428 wrote to memory of 5280 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe |
| PID 428 wrote to memory of 5280 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe |
| PID 428 wrote to memory of 5280 | N/A | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe | C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe
"C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe"
C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe
C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/428-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/428-1-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/428-2-0x0000000000400000-0x000000000062A000-memory.dmp
memory/428-12-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9bcd713201d89ff4cfcc2e72356606f7.exe
| MD5 | 3976496183263a870c129bde995563f8 |
| SHA1 | 3c096e80e446e66d27a84d48d14ec32656edc5cc |
| SHA256 | 797e1a764bcc3ec4b4e86d7572e9ddb9e88efe1e2c99f29c9d7773fca5b84272 |
| SHA512 | 313b3dc1bf265367fd92350d6a52f95e41213619a34225f88418ee4461dd2053c35c22878aef4ef0ec744382f0a684a8e52ccddbf319d40044a8cd54c719b541 |
memory/5280-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/5280-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/5280-16-0x0000000001D90000-0x0000000001EC3000-memory.dmp
memory/5280-21-0x0000000005690000-0x00000000058BA000-memory.dmp
memory/5280-20-0x0000000000400000-0x000000000061D000-memory.dmp
memory/5280-28-0x0000000000400000-0x00000000008EF000-memory.dmp