Analysis Overview
SHA256
a7c5656d425825b9d1e0744c94db8273c54d6515b44bfc83df5276352d9ff449
Threat Level: Known bad
The file b72644d7b2cdb11fa41c4b7947b7582f was found to be: Known bad.
Malicious Activity Summary
Gozi family
Deletes itself
Executes dropped EXE
UPX packed file
Loads dropped DLL
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-06 10:03
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-06 10:03
Reported
2024-03-06 10:06
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 224 wrote to memory of 1228 | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe |
| PID 224 wrote to memory of 1228 | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe |
| PID 224 wrote to memory of 1228 | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe
"C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe"
C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe
C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | 114.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
Files
memory/224-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/224-1-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/224-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe
| MD5 | c63af242bc0e885539224647809f855b |
| SHA1 | a317253fe3d4000560b3d43ad6466f1a91fbecb1 |
| SHA256 | b4e861f6c467f41bd21b8a2be1a7275f72a6d9bf2820c417341e83a06fac7fa2 |
| SHA512 | fe54da57573cc9a905daefb26743566bdc2a05c7d25cbf134a934b9e266c7d9476e7975e390dfee831559a675383f5841baebd209690ba00df2733b279778513 |
memory/224-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1228-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1228-14-0x0000000001D90000-0x0000000001EC3000-memory.dmp
memory/1228-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1228-20-0x0000000000400000-0x000000000061D000-memory.dmp
memory/1228-21-0x0000000005690000-0x00000000058BA000-memory.dmp
memory/1228-28-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-06 10:03
Reported
2024-03-06 10:06
Platform
win7-20240221-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2136 wrote to memory of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe |
| PID 2136 wrote to memory of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe |
| PID 2136 wrote to memory of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe |
| PID 2136 wrote to memory of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe | C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe
"C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe"
C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe
C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2136-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2136-1-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2136-2-0x0000000001B20000-0x0000000001C53000-memory.dmp
\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe
| MD5 | d05b997ce06e75be28f80771c5b72ea1 |
| SHA1 | b2d6695c7edf0e4dc2183166646f6f2bbf133126 |
| SHA256 | da53bc98988e5363969b302fba99eda025e743d3a94b02234aed25ab06141907 |
| SHA512 | 460051c4a07a51a761545ea51c78f6f80090019d7da3a1af74749e0efce1d49ede830058757196f94c920cc4e4deebbf5db04c25d35eb1ee2860bdba5e4b7972 |
C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe
| MD5 | 9057f5a799103534321e4ddf4046300c |
| SHA1 | 9cbfdf9aa68da5dc8a16b6c8c8adb0f0815772b1 |
| SHA256 | b2e523de0ccd049ea5e809ae7d4b4cc461bb522f4854763fa73d54f519dc59b7 |
| SHA512 | a88918b36558e068004c52f8c0158a31f44c41398c70f04957c480e3f63843afe65cd52bf46028f020906cff18caf7b3b809f7b2c4e61f73d5c81239b5a4cea6 |
memory/2136-15-0x00000000037F0000-0x0000000003CDF000-memory.dmp
memory/2136-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1888-17-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1888-16-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b72644d7b2cdb11fa41c4b7947b7582f.exe
| MD5 | 8510ca3b46c5fafc515fa6ecae127704 |
| SHA1 | 6496d35c2a60467ed3c03c7e25bb175c866eaf9f |
| SHA256 | 8844ed41baa655de923ed3be1a501ebf2e604b83a32450c4696fbdc767765954 |
| SHA512 | 40d7910fe482eeaed7e89550bab16a4c13b45c72cdd12c481d5a2cb266e472335ccaa34a303d45fbed36d94ba7df1b46ef201f761c2fddb845d28fbfb1e2c0bc |
memory/1888-19-0x0000000000260000-0x0000000000393000-memory.dmp
memory/1888-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/1888-24-0x00000000034F0000-0x000000000371A000-memory.dmp
memory/2136-31-0x00000000037F0000-0x0000000003CDF000-memory.dmp
memory/1888-32-0x0000000000400000-0x00000000008EF000-memory.dmp