Analysis Overview
SHA256
7a90fa5cef6cf8a4ecf36ff8cbeef7f1b40386c08a7b6b51a9c0238df9bec61b
Threat Level: Known bad
The file ba180590786db12ec1080fee2516aca4 was found to be: Known bad.
Malicious Activity Summary
Gozi family
Executes dropped EXE
Loads dropped DLL
UPX packed file
Deletes itself
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-08 00:47
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-08 00:47
Reported
2024-03-08 00:50
Platform
win7-20240215-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2352 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe |
| PID 2352 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe |
| PID 2352 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe |
| PID 2352 wrote to memory of 2128 | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe
"C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe"
C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe
C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2352-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2352-2-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/2352-1-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2352-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2352-14-0x0000000003CD0000-0x00000000041BF000-memory.dmp
memory/2128-18-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2128-16-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe
| MD5 | 3f8ecf328bae68d4d5de52a38c1082b6 |
| SHA1 | 2df57e09262d768deafdeeee4e195dc896150001 |
| SHA256 | 239e83971f3438be57d1a7d1f326fd7c5ff176e5746425dde1e2551eff84a55f |
| SHA512 | cd58011deed87cc912d957499bd11043b009b1d5215c0d147d435082f1e9c637b223221720ab61a9ca9ca7f66c695597c8e03eded8e162d3c0c30e0ec0ab7c2a |
\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe
| MD5 | 390b6ccf4bffcf0dbbcb23743d13b7be |
| SHA1 | 8dcd70099e700d50310608d04c168982927df72c |
| SHA256 | 30ba31e725313075f79c85efc18cd28741a56f353e2b34d2aecfd78c2a140aed |
| SHA512 | 3ec2a2d13938d520af919dedb9a881cf92818abce7f9d8b5eed2bbe5c17cfc10c763712d192a2446956825c0fb8273bce4441143c24ff9b6bf74742aac00987d |
memory/2128-20-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/2128-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2128-25-0x00000000035A0000-0x00000000037CA000-memory.dmp
memory/2128-31-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-08 00:47
Reported
2024-03-08 00:50
Platform
win10v2004-20231215-en
Max time kernel
91s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4208 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe |
| PID 4208 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe |
| PID 4208 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe | C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe
"C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe"
C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe
C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4208-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/4208-1-0x0000000001DB0000-0x0000000001EE3000-memory.dmp
memory/4208-2-0x0000000000400000-0x000000000062A000-memory.dmp
memory/4208-12-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ba180590786db12ec1080fee2516aca4.exe
| MD5 | 7d0e0d3219c4b044d827790dc5dc4265 |
| SHA1 | d5bec57675727db24b9b7f5f40285de8bba4db46 |
| SHA256 | f231a3d8326743bb2e2b7a0ebcc081dae4844d9bef43f86f9503f2f76ae711b8 |
| SHA512 | 78923a6aed8212d9d8683d748558e2d02098e9d4a742c464ab9c7db6621401d4256d5edc93a2a5bafe8e9e271d3dcfc79b2fe86254b44eefa61c95cf7acbe501 |
memory/2548-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2548-15-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2548-13-0x0000000001D20000-0x0000000001E53000-memory.dmp
memory/2548-21-0x0000000005620000-0x000000000584A000-memory.dmp
memory/2548-20-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2548-28-0x0000000000400000-0x00000000008EF000-memory.dmp