Analysis Overview
SHA256
64380cb8cca4db0858f72eeef80c8ede35c970f56a1e100776a23b0978c73869
Threat Level: Known bad
The file bea1bcfbcc17ac1fb8700a0432ac2cd7 was found to be: Known bad.
Malicious Activity Summary
Gozi family
UPX packed file
Executes dropped EXE
Loads dropped DLL
Deletes itself
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-10 12:42
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 12:42
Reported
2024-03-10 12:47
Platform
win7-20240221-en
Max time kernel
117s
Max time network
126s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2056 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe |
| PID 2056 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe |
| PID 2056 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe |
| PID 2056 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe
"C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe"
C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe
C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2056-1-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2056-0-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2056-3-0x0000000000230000-0x0000000000363000-memory.dmp
\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe
| MD5 | 8ed0e3745192f3818ee21f26a87bc181 |
| SHA1 | d31e0e6b20e1a2831ffaf829306392876bceaf51 |
| SHA256 | b74210ac1d1131ffea62f17ebae90b0d6aa5d97366daf751d21003b3248642fd |
| SHA512 | 98cf09d57eaec57db15b935a5cefa4d86aedccd0a4667d97d7815747a9e012b7c9ce851c2b5f7f2d43cf0ebd7e04a79c9aa142f9bb2c8874b5602ea07aa92236 |
C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe
| MD5 | c0acab2cc3065804ca3358e2f6f8b13e |
| SHA1 | ab81c1a2718aee48f0ce3d145df215de525adc7a |
| SHA256 | 8a9381e0d5c13566ff1288cb2d223c3706de6722736da6e3f23fc8d0cb6e9001 |
| SHA512 | 008b7906b6e0053d5eb41409993f8336b643d0cad640d5237494710d659fbc4105fa582f9e98b2c7c5960ba689cbf765ece64925ae091e59d195c7dcb3bc8ebd |
memory/2332-15-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe
| MD5 | 4ad6b3c13b210db34d34967ee889994f |
| SHA1 | a35e7af9aac5984627f671fda6a43963f9d6497d |
| SHA256 | 0c50e417d3ac6d3e46207e03b142043f24a95d860ab03fa72ac8c0bbaae319a1 |
| SHA512 | 166f44e2be4080d3411afe47d90c764b8a1dc6b89a565df4df56b1bb68e0ba8a9990460493a0de4b1aedb4523b82ec1117a91c0add6cff5bcf60425fc82769a5 |
memory/2056-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2332-19-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2056-17-0x00000000037E0000-0x0000000003CCF000-memory.dmp
memory/2332-20-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/2332-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2332-24-0x0000000003570000-0x000000000379A000-memory.dmp
memory/2332-31-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-10 12:42
Reported
2024-03-10 12:45
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4392 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe |
| PID 4392 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe |
| PID 4392 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe | C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe
"C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe"
C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe
C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4392-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/4392-1-0x0000000001D10000-0x0000000001E43000-memory.dmp
memory/4392-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bea1bcfbcc17ac1fb8700a0432ac2cd7.exe
| MD5 | 4716097b7671631c08ef58d5c4d8912e |
| SHA1 | dd09c9ab080a578b7ec4373758bf67b4cdc90593 |
| SHA256 | 66ba6a4bef933b659b9b19366bb0a153022446349c821d47201f3255d69be711 |
| SHA512 | c279c84c959f9246e3ac9af50de7cd70b0279a5f01736ea79ed5ccf7bfcbf033869cea4e5a29ca7a5b131ad382c0bbfde580dad629ad9773f9b4f232d152fc58 |
memory/4392-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3052-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3052-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3052-15-0x0000000001C70000-0x0000000001DA3000-memory.dmp
memory/3052-20-0x0000000000400000-0x000000000061D000-memory.dmp
memory/3052-22-0x0000000005570000-0x000000000579A000-memory.dmp
memory/3052-28-0x0000000000400000-0x00000000008EF000-memory.dmp