Analysis Overview
SHA256
5e3402c025e84c695650c9a3e04b8d9b5c364f35b8b11fa9e98434292149f7d1
Threat Level: Known bad
The file 9d712014954e93ef3f87608fa0be27d9 was found to be: Known bad.
Malicious Activity Summary
Gozi family
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-15 08:32
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-15 08:32
Reported
2024-02-15 08:34
Platform
win7-20231215-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1728 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe |
| PID 1728 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe |
| PID 1728 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe |
| PID 1728 wrote to memory of 2896 | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe
"C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe"
C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe
C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/1728-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1728-1-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/1728-2-0x0000000000400000-0x000000000062A000-memory.dmp
\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe
| MD5 | 7c64abc2bafcfa2665650a9fc4dfc2cb |
| SHA1 | a430b253d855e11ae5bc3ba24ae3d61c2ca97b67 |
| SHA256 | 9464e6882a1c1fb0b01608d7208244d79429f7cb96dd4cdcea20900e35cf7d25 |
| SHA512 | 06efdd6a6d93a3235da5790cbd11c3abd2e7e3a4e292b6e7b3ed981b3799a48a726cef4b1f251608824ad022b94c222eaa28efb08ca606054c31032dea56ea9b |
memory/1728-15-0x00000000036F0000-0x0000000003BDF000-memory.dmp
memory/2896-17-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2896-16-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2896-18-0x0000000000260000-0x0000000000393000-memory.dmp
memory/1728-14-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe
| MD5 | 1fc9b920a5af985c6e809b6ebb2872d8 |
| SHA1 | 490acde8de31ce43d50798f183792ed1bbe423ce |
| SHA256 | 6f135b37315e8062ca6bfc7c0a1a2814db09b2bf5cbd2e4dc865719812bf6275 |
| SHA512 | 6a2ff976d75283139edc0864d07b191c4dc44072849e0809bd4c6898029da0c9fb4ce0d96fa5ba5b3397c5b58c441f93da7b3bd20ed84ec45014cd80b439084a |
memory/2896-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2896-24-0x00000000034F0000-0x000000000371A000-memory.dmp
memory/1728-31-0x00000000036F0000-0x0000000003BDF000-memory.dmp
memory/2896-32-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-15 08:32
Reported
2024-02-15 08:34
Platform
win10v2004-20231215-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2508 wrote to memory of 3456 | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe |
| PID 2508 wrote to memory of 3456 | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe |
| PID 2508 wrote to memory of 3456 | N/A | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe | C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe
"C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe"
C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe
C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
memory/2508-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2508-1-0x0000000001CD0000-0x0000000001E03000-memory.dmp
memory/2508-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe
| MD5 | 89cdacce23bfd2805aa966f7e2803f83 |
| SHA1 | 4a40eff17ca6c69ce9df3afda826ffca2f10af60 |
| SHA256 | 1d13a7b280a62d61eb53a2c1ec45bca691632a26af6b34f00a1467214246d7fb |
| SHA512 | 2cb7eeabe156aab091ba93e796746d0b07bd8957531d5d7719a58f2836073349b78634fc83dbb781de7b5abc524312a92129378691286193dd4f292edb011ee5 |
memory/3456-14-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2508-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3456-15-0x0000000001C70000-0x0000000001DA3000-memory.dmp
memory/3456-16-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3456-22-0x0000000005570000-0x000000000579A000-memory.dmp
memory/3456-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/3456-29-0x0000000000400000-0x00000000008EF000-memory.dmp