Analysis Overview
SHA256
cae64b92f6db0a3fc9c3f8eedce5aea39a9551b283b2b0e49094a45a3609c395
Threat Level: Known bad
The file a0168628baae121461de044370b320b5 was found to be: Known bad.
Malicious Activity Summary
Gozi family
UPX packed file
Executes dropped EXE
Loads dropped DLL
Deletes itself
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-16 09:57
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-16 09:57
Reported
2024-02-16 10:00
Platform
win7-20240215-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2932 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe |
| PID 2932 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe |
| PID 2932 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe |
| PID 2932 wrote to memory of 2112 | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe
"C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe"
C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe
C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2932-1-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2932-0-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2932-3-0x0000000000270000-0x00000000003A3000-memory.dmp
\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe
| MD5 | 11199d016e754719df4ca9036503a0aa |
| SHA1 | aedf97b9c1645831ec0223f200d8d2f1fdee65ae |
| SHA256 | 2464978068269852038683349884eabfdaf9f9cb4ecb210b8df44c6df52fbf37 |
| SHA512 | ba71a0ef109d4af4fc230703a2dcbc5a07914f6e684e14f23e57299f6e3edd38556d34112ae0df27d6e364b76e045061429dca506b72c10d360ae8c57b4543e1 |
memory/2932-15-0x00000000038E0000-0x0000000003DCF000-memory.dmp
memory/2112-17-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2112-16-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2932-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2112-18-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/2112-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2112-24-0x0000000003410000-0x000000000363A000-memory.dmp
memory/2112-31-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-16 09:57
Reported
2024-02-16 10:00
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2124 wrote to memory of 5032 | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe |
| PID 2124 wrote to memory of 5032 | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe |
| PID 2124 wrote to memory of 5032 | N/A | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe | C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe
"C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe"
C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe
C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/2124-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2124-1-0x0000000001CF0000-0x0000000001E23000-memory.dmp
memory/2124-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a0168628baae121461de044370b320b5.exe
| MD5 | 4ae04524e2a6f9604cdf22ad029eea4f |
| SHA1 | 391433454535ae19e9ce95b006d9183b4aee3d4c |
| SHA256 | 8cb50093aa02a5d2907d65b6c4ee9ac0bd24be56e34ef32f896bb6c8e2dc9e98 |
| SHA512 | fcf98923ae80c3a9935b2f43f6f0d630d0c4d685666ed68c15190a24a14b845066a955b1303192434b5734ec39ddd562b8d45a8f5838c05dbb2404f9e18bbbe1 |
memory/2124-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/5032-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/5032-15-0x0000000001D00000-0x0000000001E33000-memory.dmp
memory/5032-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/5032-20-0x0000000005600000-0x000000000582A000-memory.dmp
memory/5032-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/5032-28-0x0000000000400000-0x00000000008EF000-memory.dmp