Analysis Overview
SHA256
4a6473b1726fe36d7f514f072307ed5aa5fce899b03388d5f8b78684a2cb3bc5
Threat Level: Known bad
The file badd9eb088b53d871a973cd7d70d79c2 was found to be: Known bad.
Malicious Activity Summary
Gozi family
xmrig
XMRig Miner payload
Executes dropped EXE
UPX packed file
Deletes itself
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious behavior: RenamesItself
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-08 09:08
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-08 09:08
Reported
2024-03-08 09:10
Platform
win7-20231129-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2392 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe |
| PID 2392 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe |
| PID 2392 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe |
| PID 2392 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe
"C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe"
C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe
C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe
Network
Files
memory/2392-0-0x0000000000400000-0x0000000000712000-memory.dmp
memory/2392-2-0x0000000001720000-0x00000000017E4000-memory.dmp
memory/2392-1-0x0000000000400000-0x0000000000593000-memory.dmp
\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe
| MD5 | 21e1e73d626e713b983b0f3ba7ad504b |
| SHA1 | 62927e285ba206a36334111efa0e63dd8f15f6ba |
| SHA256 | 5285511792416917426fb4d7771fd0a66428920d9f3ef191222c1610101cfb03 |
| SHA512 | ce0b2361da442dde2ce9653772b95374d6c86302da66a34d3e92e32961e4d257b5a2689fa5200e49e5d359a89b7a0882714e5e3d6d588ea3b2215e60a4e10e99 |
memory/2392-15-0x0000000003510000-0x0000000003822000-memory.dmp
memory/3052-17-0x0000000000400000-0x0000000000712000-memory.dmp
memory/2392-14-0x0000000000400000-0x0000000000593000-memory.dmp
memory/3052-18-0x0000000000120000-0x00000000001E4000-memory.dmp
memory/3052-19-0x0000000000400000-0x0000000000593000-memory.dmp
memory/3052-24-0x0000000000400000-0x0000000000587000-memory.dmp
memory/3052-26-0x0000000003120000-0x00000000032B3000-memory.dmp
memory/3052-34-0x00000000005A0000-0x000000000071F000-memory.dmp
memory/3052-35-0x0000000000400000-0x0000000000587000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-08 09:08
Reported
2024-03-08 09:10
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3108 wrote to memory of 1380 | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe |
| PID 3108 wrote to memory of 1380 | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe |
| PID 3108 wrote to memory of 1380 | N/A | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe | C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe
"C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe"
C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe
C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| GB | 96.17.178.210:80 | tcp |
Files
memory/3108-0-0x0000000000400000-0x0000000000712000-memory.dmp
memory/3108-1-0x0000000001720000-0x00000000017E4000-memory.dmp
memory/3108-2-0x0000000000400000-0x0000000000593000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe
| MD5 | fab29b8c4429f4f26df27de28d6f3072 |
| SHA1 | ad768ebb3dc805f905b8a5a3cdcc8611e06790e2 |
| SHA256 | a6f90ff4c9592c3c1a76553947266b8f879ad5c9850bda9d0d633d1843bb819f |
| SHA512 | f786b6e5eafac2e9745b2787f010ea650f5a4a35e9f498e393fa2d7873b5d91c2c133e6f0da6125d9b8a7da88ab02d5ab18094edc5a456f89222371eb26941c1 |
memory/3108-12-0x0000000000400000-0x0000000000593000-memory.dmp
memory/1380-13-0x0000000000400000-0x0000000000712000-memory.dmp
memory/1380-14-0x0000000000400000-0x0000000000593000-memory.dmp
memory/1380-15-0x0000000001720000-0x00000000017E4000-memory.dmp
memory/1380-20-0x0000000005580000-0x0000000005713000-memory.dmp
memory/1380-21-0x0000000000400000-0x0000000000587000-memory.dmp
memory/1380-30-0x0000000000400000-0x0000000000587000-memory.dmp