Analysis Overview
SHA256
7354f9ccbc6aa77686a45e617901d475697cbcd1971e97dd92f91bd91025a25f
Threat Level: Known bad
The file 9ed097c39c7cc6e82f5dc72d45952175 was found to be: Known bad.
Malicious Activity Summary
Gozi family
Deletes itself
UPX packed file
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-15 23:08
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-15 23:08
Reported
2024-02-15 23:11
Platform
win7-20231215-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2556 wrote to memory of 1308 | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe |
| PID 2556 wrote to memory of 1308 | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe |
| PID 2556 wrote to memory of 1308 | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe |
| PID 2556 wrote to memory of 1308 | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe
"C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe"
C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe
C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2556-0-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/2556-2-0x0000000000250000-0x0000000000381000-memory.dmp
memory/2556-1-0x0000000000400000-0x0000000000622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe
| MD5 | e51287afc7b1fb7453c904c94fbbe406 |
| SHA1 | f9fa03b3818c700490261eec01a2af2623946b98 |
| SHA256 | f5e044aefdbb5388cc355b117c6d2fbaebcc77674333a397d2b90ef94c053efc |
| SHA512 | 5072a3aab0986023a049aaf66c5f20daa322946a68e911e334c129f97415231f37fc9e35ecb9c6145600f8ad3200541b61db9df1f72b4e92fd357a5998eedf75 |
memory/2556-14-0x0000000000400000-0x0000000000622000-memory.dmp
\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe
| MD5 | ff992a6465abbabdcb3bb9660f450bd4 |
| SHA1 | 4576f2625ed95367e81998d16f042716880ca709 |
| SHA256 | 8ba55f8b65c3b47a1801ab33a47f73be17c9981656af751f02b9896b178f69f3 |
| SHA512 | b87ab28dc4dbeed3905f6b59bd7db962ddda913a3500059a7cc8290d74b7caab9f0dc3dfd0748c237051fdbd460996f6ec98eb82f7161c456df1339da67b421a |
memory/1308-16-0x0000000000400000-0x0000000000622000-memory.dmp
memory/1308-17-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/1308-19-0x0000000000250000-0x0000000000381000-memory.dmp
memory/2556-15-0x0000000003F00000-0x00000000043E7000-memory.dmp
memory/1308-23-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1308-24-0x00000000034C0000-0x00000000036E2000-memory.dmp
memory/2556-31-0x0000000003F00000-0x00000000043E7000-memory.dmp
memory/1308-32-0x0000000000400000-0x00000000008E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-15 23:08
Reported
2024-02-15 23:11
Platform
win10v2004-20231222-en
Max time kernel
91s
Max time network
148s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1648 wrote to memory of 4468 | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe |
| PID 1648 wrote to memory of 4468 | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe |
| PID 1648 wrote to memory of 4468 | N/A | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe | C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe
"C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe"
C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe
C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 114.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1648-0-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/1648-1-0x00000000018F0000-0x0000000001A21000-memory.dmp
memory/1648-2-0x0000000000400000-0x0000000000622000-memory.dmp
memory/1648-12-0x0000000000400000-0x0000000000622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9ed097c39c7cc6e82f5dc72d45952175.exe
| MD5 | 00abc5f008c635d4716b0e194adca16a |
| SHA1 | 51fc59996f62323831710a0c20daa82594176c83 |
| SHA256 | e914382751a01b3cf42f0e88712f0e69d98277b381ebf5de92a23f8b71a2cfd2 |
| SHA512 | e6353995b3e82e18e74e0fc13bce8f9b56d6de9d37ea994b7874f4c233aa671a220e4f396f76ad00c7311449c7a90f4340e4807942c65936bb92cf0138ceb02a |
memory/4468-14-0x0000000000400000-0x0000000000622000-memory.dmp
memory/4468-13-0x0000000001DA0000-0x0000000001ED1000-memory.dmp
memory/4468-16-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/4468-20-0x0000000005690000-0x00000000058B2000-memory.dmp
memory/4468-21-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4468-28-0x0000000000400000-0x00000000008E7000-memory.dmp