Analysis Overview
SHA256
65e5e1808b8b9fae32fc679e93380a705df09ca1d5af1995551bcff0d17e6c20
Threat Level: Known bad
The file be0cf91c38c27ea52920ff91c1365004 was found to be: Known bad.
Malicious Activity Summary
Gozi
Deletes itself
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-10 07:43
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 07:43
Reported
2024-03-10 07:45
Platform
win7-20240221-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2172 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe |
| PID 2172 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe |
| PID 2172 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe |
| PID 2172 wrote to memory of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe
"C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe"
C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe
C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
Files
memory/2172-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2172-1-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2172-2-0x0000000001B20000-0x0000000001C53000-memory.dmp
\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe
| MD5 | 639a762b727db8eb6752743aebf631ba |
| SHA1 | 670d468efed433e3063ffaad6993fb08f6f1570d |
| SHA256 | 9a7560c84cc4904de23cce7f45755398d0ef2c5a859a3f7ed55eda282329d897 |
| SHA512 | 14d9ad9bd27bb04d1c6c29219c748f50a16d0a959393cfaf35bd98654215ce5e76af00b534c523d48c4f5f7d443322707acda08d85989e328289ecccecc9fd64 |
C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe
| MD5 | f31bc3e3d7da6e4287d736d02ec02ee6 |
| SHA1 | adae7ff0841583162d08c593bbd07b02a54aa51c |
| SHA256 | ecfc82eb8913326af25752f8bd717a4755c21e72b89b2486421e0ba2391f9f81 |
| SHA512 | c73c0c498efd0beeaf6e46b77ac3909ba0954e145537e7d2e2c92133f227d00ec93e132848fd3c17cb4faae8dc17575e9d3d23bdc97025f3bd5a72165126b26b |
memory/2172-14-0x0000000003CD0000-0x00000000041BF000-memory.dmp
memory/2528-17-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2172-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2528-20-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/2528-16-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2528-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2528-25-0x0000000003410000-0x000000000363A000-memory.dmp
memory/2172-31-0x0000000003CD0000-0x00000000041BF000-memory.dmp
memory/2528-32-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-10 07:43
Reported
2024-03-10 07:45
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
124s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1728 wrote to memory of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe |
| PID 1728 wrote to memory of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe |
| PID 1728 wrote to memory of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe | C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe
"C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe"
C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe
C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
memory/1728-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1728-2-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1728-1-0x00000000018F0000-0x0000000001A23000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\be0cf91c38c27ea52920ff91c1365004.exe
| MD5 | bd19928b00650463526ec997a7c664df |
| SHA1 | 061d10c7931b6d6c6c3f3150e7eaf6bcb218e6a4 |
| SHA256 | c5256b5c7492509725cca4e72e43c75b351a0410ce885cc92df986d9be71c23b |
| SHA512 | b806134c6f9e9778deb444f2044acc9f429215d34b2ebe1b7441f1ab465a644adf8a6bf95693cefceb79334f93fa111cdeb56e420b45bb964928ab077b75cd1b |
memory/1460-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1728-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1460-15-0x0000000001D80000-0x0000000001EB3000-memory.dmp
memory/1460-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1460-21-0x0000000005680000-0x00000000058AA000-memory.dmp
memory/1460-20-0x0000000000400000-0x000000000061D000-memory.dmp
memory/1460-28-0x0000000000400000-0x00000000008EF000-memory.dmp