Analysis Overview
SHA256
ad9d6c66ad19cd10bed86bb6bf61c9c362dfc3744b82a12021d7c4ed52bbb53e
Threat Level: Known bad
The file 9f93c04fad7105eaac240237c6542549 was found to be: Known bad.
Malicious Activity Summary
Gozi family
UPX packed file
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-16 05:42
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-16 05:42
Reported
2024-02-16 05:45
Platform
win7-20231215-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2544 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe |
| PID 2544 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe |
| PID 2544 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe |
| PID 2544 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe
"C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe"
C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe
C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2544-1-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2544-0-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2544-3-0x0000000001B20000-0x0000000001C53000-memory.dmp
\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe
| MD5 | 8199d18e6e3bfdb471c4494c2f235595 |
| SHA1 | c9f0c598f025eb3aa014de35cc6d38811c9f2030 |
| SHA256 | 3dcf3a747d9048a27fa266da6c47293ce050833c08b7a8698973a05f70090b56 |
| SHA512 | 0f0ebaee304dea826c80b024c1ec5e16d60699af550485e1936a58b0805fc13cb175e3e11b818949d465d7795ca32da46fff4b9fff9c353d95e24b86ff078b4e |
memory/2544-13-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe
| MD5 | 0ab6878ddf95a0e282fe5587f28a0f97 |
| SHA1 | 5016eeab865dcac473f40d3a66859a889fef6d91 |
| SHA256 | 4622caf9daca3bb7740ff94c62034a4fa564b3001f1d545f113694b375eeac1f |
| SHA512 | ab0013a8a06bfc176c7026ded6727e573b9189a90a0161d641f6a47026ff6f6ff1f7505aa4f526fd699f7fee1c6c1396e241552e16b20eef344f2354d3b956b5 |
memory/2700-15-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2700-16-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/2700-17-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2700-23-0x0000000003410000-0x000000000363A000-memory.dmp
memory/2700-22-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2544-30-0x0000000003DD0000-0x00000000042BF000-memory.dmp
memory/2700-31-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-16 05:42
Reported
2024-02-16 05:45
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5016 wrote to memory of 644 | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe |
| PID 5016 wrote to memory of 644 | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe |
| PID 5016 wrote to memory of 644 | N/A | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe | C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe
"C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe"
C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe
C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/5016-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/5016-1-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/5016-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9f93c04fad7105eaac240237c6542549.exe
| MD5 | e0919e79fd81d7d2a832fa364b8f2dd5 |
| SHA1 | 26aaeca25d0f497936eb69eb658c0a1a2bfb662d |
| SHA256 | a56d0ad0581166c07786f16b5f295d76adbee737d598955b78fe97da3827c68e |
| SHA512 | 9cdd1582f5bb3e7e701fd66bcf9aa29d78eed9bfa22624685af8b8ab9a11f3187c50fce64363d89aad5ed0cb9c9ff83e50636e506ec0d9abc9db1f094d145ad2 |
memory/5016-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/644-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/644-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/644-14-0x0000000001D40000-0x0000000001E73000-memory.dmp
memory/644-20-0x0000000005640000-0x000000000586A000-memory.dmp
memory/644-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/644-28-0x0000000000400000-0x00000000008EF000-memory.dmp