Analysis Overview
SHA256
587b999dab7d511db548be63c2671865d04931f102f1f22623871d15f0f45723
Threat Level: Known bad
The file c6b6e10fbe38588f1d892777f687cf46 was found to be: Known bad.
Malicious Activity Summary
Gozi family
Loads dropped DLL
Deletes itself
Executes dropped EXE
UPX packed file
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-13 19:44
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-13 19:44
Reported
2024-03-13 19:48
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
207s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4776 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe |
| PID 4776 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe |
| PID 4776 wrote to memory of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe
"C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe"
C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe
C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
Files
memory/4776-0-0x0000000000400000-0x000000000086A000-memory.dmp
memory/4776-1-0x0000000001BB0000-0x0000000001CC2000-memory.dmp
memory/4776-2-0x0000000000400000-0x00000000005F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe
| MD5 | 3a40b4c42cd8865b7c60281ea4d15e3c |
| SHA1 | 7ce7d9027c3e65e5f257b19bee5eb7b64554a455 |
| SHA256 | eb503e31549cc0dcb7e8c9cbcf8fa6d1068055ce466c1016d75fdf38523309e0 |
| SHA512 | 9b4126fe66e9bb87fb743a355f3a5574aac09e57978ff55e46333aca1009414de2607bff7b474053942925c9cf3e749f42373dc7f69a66c05c446efb2b14dff7 |
memory/4776-13-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/4672-14-0x0000000000400000-0x000000000086A000-memory.dmp
memory/4672-15-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/4672-16-0x0000000001D20000-0x0000000001E32000-memory.dmp
memory/4672-23-0x0000000000400000-0x000000000086A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-13 19:44
Reported
2024-03-13 19:47
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2952 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe |
| PID 2952 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe |
| PID 2952 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe |
| PID 2952 wrote to memory of 3060 | N/A | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe | C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe
"C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe"
C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe
C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2952-0-0x0000000000400000-0x000000000086A000-memory.dmp
memory/2952-1-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/2952-2-0x0000000000250000-0x0000000000362000-memory.dmp
\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe
| MD5 | 6d5f08406c39f32f09a9cf70d0919ebe |
| SHA1 | 2015724ce093f0475e99b1a20b8ab3a6491bfe2c |
| SHA256 | 966437106b2b184212247a67dd53bc65abcf29de657f91a93825cfaa2d7d3062 |
| SHA512 | 379683b435442ae0cdeadc4721a202bcddd74e610b5014622d8622d7e38b2ef674030e33e57fd83c9ba7e630b499f499b79b608716f57de79700cfb622bca9b1 |
memory/3060-17-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/3060-19-0x0000000000400000-0x000000000086A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c6b6e10fbe38588f1d892777f687cf46.exe
| MD5 | a074e5c3875aa9aba18fa35ac2e7a335 |
| SHA1 | 027e3e491f64dbdf5d53f2d81a9b4bcca38b9e10 |
| SHA256 | 641f6f36206932caa89297b49de747bd876ccb80d3dd9df25afb07904e763422 |
| SHA512 | 8b6727a224463ca8f78627b6f74c0705ae317fc27e7f613c214af792eba2a256d08bd053dbff84896d02d9343faea0297ff21b0cdbe3f49ea4fce5d0eef7de86 |
memory/2952-15-0x0000000003E70000-0x00000000042DA000-memory.dmp
memory/3060-21-0x00000000002B0000-0x00000000003C2000-memory.dmp
memory/2952-14-0x0000000000400000-0x00000000005F2000-memory.dmp
memory/2952-26-0x0000000003E70000-0x00000000042DA000-memory.dmp
memory/3060-27-0x0000000000400000-0x000000000086A000-memory.dmp