Analysis Overview
SHA256
665f29046f4e012f8abb896b432e3598fe0783251eab533902ba1199bbd53a73
Threat Level: Known bad
The file c4c6b0dc4ab0afc86171d28444372067 was found to be: Known bad.
Malicious Activity Summary
Gozi
Executes dropped EXE
UPX packed file
Deletes itself
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-13 02:46
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-13 02:46
Reported
2024-03-13 02:49
Platform
win7-20240221-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe |
| PID 2128 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe |
| PID 2128 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe |
| PID 2128 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe
"C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe"
C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe
C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
Files
memory/2128-0-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/2128-1-0x0000000001B10000-0x0000000001C41000-memory.dmp
memory/2128-2-0x0000000000400000-0x0000000000622000-memory.dmp
\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe
| MD5 | f8f0a73349aa5a23fae706834f32a655 |
| SHA1 | 665a0f0296400fa57d39ce70ccc162bcf2c6ba11 |
| SHA256 | f24ce286ac741f9f54733b1c708e7e0bba23b28e90c2a25bc6cc1dbd07dd4322 |
| SHA512 | 0855980e05cf36472a9fcc99ba5b9baaf6c0dfb95238a67401a3c5ddc32537f77ddcd9b13554e6be61cc6d7f8c2b5544f26e323529760db3d968ecbe8be44a4c |
C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe
| MD5 | 4d2ed1e218837781836b55aa4e743bc5 |
| SHA1 | d3a2540df59451310f15fc6ce4bdf07d52c286b1 |
| SHA256 | ffdcb3d91f7c23913aa4b6de5ddaffdd2a3732c8a27e9e79b75bd14e12d4d7bc |
| SHA512 | 9ffa947ab764ac85dbf898705f1df40b97b15535fb669263bf284b7baa091f7089121913e505e0b821308c8d4c046bf2cd6ebbe3d4f64e8b74b8e119e867140d |
memory/2128-13-0x0000000000400000-0x0000000000622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe
| MD5 | 754af614ccedabb09d2f6270b0fd98f5 |
| SHA1 | 9e1887cf19519e737f1f2b7b67a204b964f531e2 |
| SHA256 | 1692f6d8b49ccdcaca71f5bb794c0274b9ab1b890a0b7f61cd0fca65bd2688cd |
| SHA512 | 93c6983228351b409dc5b03d5bb609cde759575e1d2966c540e8b34a222abc316868545857a36976a7b1db41b398a3e558e3c0f0ff2177a9034032d825404299 |
memory/3016-15-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/3016-17-0x0000000001B10000-0x0000000001C41000-memory.dmp
memory/3016-22-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3016-23-0x00000000033F0000-0x0000000003612000-memory.dmp
memory/3016-30-0x0000000000400000-0x00000000008E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-13 02:46
Reported
2024-03-13 02:49
Platform
win10v2004-20240226-en
Max time kernel
164s
Max time network
174s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5096 wrote to memory of 556 | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe |
| PID 5096 wrote to memory of 556 | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe |
| PID 5096 wrote to memory of 556 | N/A | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe | C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe
"C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe"
C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe
C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 114.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/5096-0-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/5096-1-0x0000000001D90000-0x0000000001EC1000-memory.dmp
memory/5096-2-0x0000000000400000-0x0000000000622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c4c6b0dc4ab0afc86171d28444372067.exe
| MD5 | 721cfe8d788a14ac5b09ec6cb6cb509b |
| SHA1 | e6864afee2b5b5d6bd325e04ba2c0486c3b9d54a |
| SHA256 | 96b505ef2b39c7e09f82902cc0e4ff3d38a88f8e5fe5886b09abcef734627b36 |
| SHA512 | fe7730894944faafa868d0c111d65064f7d0416a3271e64666618035c3c71d32a1a39deb392b8a14034fc94ff716ed1833cedcdeb1086d4ef7894ad80fe6a219 |
memory/5096-12-0x0000000000400000-0x0000000000622000-memory.dmp
memory/556-13-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/556-14-0x0000000000400000-0x0000000000622000-memory.dmp
memory/556-15-0x0000000001CC0000-0x0000000001DF1000-memory.dmp
memory/556-20-0x0000000000400000-0x0000000000616000-memory.dmp
memory/556-22-0x00000000055B0000-0x00000000057D2000-memory.dmp
memory/556-28-0x0000000000400000-0x00000000008E7000-memory.dmp