Analysis Overview
SHA256
cce56e7f0b706dcb2547abc1d1b967950a3373b8536ac617feeac27fae085650
Threat Level: Known bad
The file 9ef3470cd4f333e9be8675089f018f9d was found to be: Known bad.
Malicious Activity Summary
Gozi
UPX packed file
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-16 00:19
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-16 00:19
Reported
2024-02-16 00:22
Platform
win7-20231215-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2800 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe |
| PID 2800 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe |
| PID 2800 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe |
| PID 2800 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe
"C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe"
C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe
C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2800-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2800-1-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2800-2-0x0000000001B20000-0x0000000001C53000-memory.dmp
\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe
| MD5 | aee6a0261de70a85e71a2e86b7412292 |
| SHA1 | ddec07f3e98abf80176790023427de51513b773c |
| SHA256 | 2a32d87ae537979ee52259a96c271a17caed4b98238eed821a03722d12d62c23 |
| SHA512 | 7b834915328d645c7e4b29cd12ce8a550dcc491b46b7b5c64e50875e19c5de94b754faccfc8ef4de780717beba4218dc49c0f749f2705d7ea286bd53f206f9e8 |
memory/3024-17-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3024-19-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/2800-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2800-13-0x00000000037F0000-0x0000000003CDF000-memory.dmp
memory/3024-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/3024-25-0x00000000035A0000-0x00000000037CA000-memory.dmp
memory/3024-31-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-16 00:19
Reported
2024-02-16 00:22
Platform
win10v2004-20231222-en
Max time kernel
91s
Max time network
150s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1184 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe |
| PID 1184 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe |
| PID 1184 wrote to memory of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe | C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe
"C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe"
C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe
C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/1184-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1184-2-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1184-1-0x0000000001A30000-0x0000000001B63000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9ef3470cd4f333e9be8675089f018f9d.exe
| MD5 | 4fda2a07b2388535f71d28b363aa4846 |
| SHA1 | 1bac30cdc1818fe823ee98bc1390d95b75174e9c |
| SHA256 | 3cd959e41f912a0f0d1bcc679589ae060f4cb8a1633220e722c89d02cb5856ee |
| SHA512 | 9f79decf11ccf890312bcac757b7eacbce58cb9f57f0ed08dae1137d170435354c3af4d6e98877206277a483f931d892b601ab4f5516d01877934b8014ddbaad |
memory/1184-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2444-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2444-17-0x0000000001CA0000-0x0000000001DD3000-memory.dmp
memory/2444-15-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2444-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2444-20-0x00000000055A0000-0x00000000057CA000-memory.dmp
memory/2444-28-0x0000000000400000-0x00000000008EF000-memory.dmp