Malware Analysis Report

2025-03-15 07:45

Sample ID 240215-ke97ksdd59
Target 9d712014954e93ef3f87608fa0be27d9
SHA256 5e3402c025e84c695650c9a3e04b8d9b5c364f35b8b11fa9e98434292149f7d1
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e3402c025e84c695650c9a3e04b8d9b5c364f35b8b11fa9e98434292149f7d1

Threat Level: Known bad

The file 9d712014954e93ef3f87608fa0be27d9 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-15 08:32

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 08:32

Reported

2024-02-15 08:34

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe

"C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe"

C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe

C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/1728-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1728-1-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/1728-2-0x0000000000400000-0x000000000062A000-memory.dmp

\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe

MD5 7c64abc2bafcfa2665650a9fc4dfc2cb
SHA1 a430b253d855e11ae5bc3ba24ae3d61c2ca97b67
SHA256 9464e6882a1c1fb0b01608d7208244d79429f7cb96dd4cdcea20900e35cf7d25
SHA512 06efdd6a6d93a3235da5790cbd11c3abd2e7e3a4e292b6e7b3ed981b3799a48a726cef4b1f251608824ad022b94c222eaa28efb08ca606054c31032dea56ea9b

memory/1728-15-0x00000000036F0000-0x0000000003BDF000-memory.dmp

memory/2896-17-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2896-16-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2896-18-0x0000000000260000-0x0000000000393000-memory.dmp

memory/1728-14-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe

MD5 1fc9b920a5af985c6e809b6ebb2872d8
SHA1 490acde8de31ce43d50798f183792ed1bbe423ce
SHA256 6f135b37315e8062ca6bfc7c0a1a2814db09b2bf5cbd2e4dc865719812bf6275
SHA512 6a2ff976d75283139edc0864d07b191c4dc44072849e0809bd4c6898029da0c9fb4ce0d96fa5ba5b3397c5b58c441f93da7b3bd20ed84ec45014cd80b439084a

memory/2896-23-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2896-24-0x00000000034F0000-0x000000000371A000-memory.dmp

memory/1728-31-0x00000000036F0000-0x0000000003BDF000-memory.dmp

memory/2896-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 08:32

Reported

2024-02-15 08:34

Platform

win10v2004-20231215-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe

"C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe"

C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe

C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/2508-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2508-1-0x0000000001CD0000-0x0000000001E03000-memory.dmp

memory/2508-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9d712014954e93ef3f87608fa0be27d9.exe

MD5 89cdacce23bfd2805aa966f7e2803f83
SHA1 4a40eff17ca6c69ce9df3afda826ffca2f10af60
SHA256 1d13a7b280a62d61eb53a2c1ec45bca691632a26af6b34f00a1467214246d7fb
SHA512 2cb7eeabe156aab091ba93e796746d0b07bd8957531d5d7719a58f2836073349b78634fc83dbb781de7b5abc524312a92129378691286193dd4f292edb011ee5

memory/3456-14-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2508-13-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3456-15-0x0000000001C70000-0x0000000001DA3000-memory.dmp

memory/3456-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/3456-22-0x0000000005570000-0x000000000579A000-memory.dmp

memory/3456-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/3456-29-0x0000000000400000-0x00000000008EF000-memory.dmp