Analysis Overview
SHA256
e9c3b3d5110a014a41964ef37fb07846cd6f006c813e16ca7cba4d256063b88c
Threat Level: Known bad
The file c84ae91054b08d593b81076ef69e148f was found to be: Known bad.
Malicious Activity Summary
Gozi
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-14 09:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 09:35
Reported
2024-03-14 09:38
Platform
win7-20240221-en
Max time kernel
117s
Max time network
128s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1524 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe |
| PID 1524 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe |
| PID 1524 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe |
| PID 1524 wrote to memory of 3064 | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe
"C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe"
C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe
C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
Files
memory/1524-0-0x0000000000400000-0x0000000000877000-memory.dmp
memory/1524-1-0x0000000000400000-0x000000000064D000-memory.dmp
memory/1524-3-0x0000000001D80000-0x00000000021F7000-memory.dmp
memory/1524-13-0x0000000000400000-0x000000000064D000-memory.dmp
\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe
| MD5 | f7627b86bbb54e5a24e998ad752c0449 |
| SHA1 | 0534a62144306f5fd5b7ce12b08505327323b2c3 |
| SHA256 | 9e310205008145e3b94ff073ab4d0b6b2e6447cdecf04ce0871c0ccb85217a65 |
| SHA512 | 868b8000eded79ba415f75aa2fda7c43c8bc1efccd91405f70b127f38971d34400cabf8bb2fb9f9e4a69f285163dde04ac351e38085ab7a0db9db5fb3945ad57 |
C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe
| MD5 | a5fc54eff952ca58f09a513c692dd3dd |
| SHA1 | f65ca67a50ed164f7a7219d4d181128709ebef36 |
| SHA256 | c700292abb80ae6701b63e6892653b6b9023f4c5cecf8e4756e6d4fac97b631f |
| SHA512 | 8f216e5753150612a161b22f0c4c37a70dfb1f6f71fd41d7be20840e75deafbcc49de19eba7bb6204d9ecd10a813d3ef10721a05b1d5314231ed2be6c8b94804 |
memory/1524-15-0x0000000004010000-0x0000000004487000-memory.dmp
memory/3064-17-0x0000000001CC0000-0x0000000002137000-memory.dmp
memory/3064-16-0x0000000000400000-0x000000000064D000-memory.dmp
memory/3064-19-0x0000000000400000-0x0000000000877000-memory.dmp
memory/3064-23-0x0000000000400000-0x0000000000640000-memory.dmp
memory/3064-24-0x0000000003780000-0x00000000039CD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 09:35
Reported
2024-03-14 09:38
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1316 wrote to memory of 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe |
| PID 1316 wrote to memory of 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe |
| PID 1316 wrote to memory of 3536 | N/A | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe | C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe
"C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe"
C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe
C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 114.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/1316-0-0x0000000000400000-0x0000000000877000-memory.dmp
memory/1316-1-0x0000000001CF0000-0x0000000002167000-memory.dmp
memory/1316-2-0x0000000000400000-0x000000000064D000-memory.dmp
memory/1316-11-0x0000000000400000-0x000000000064D000-memory.dmp
memory/3536-13-0x0000000000400000-0x0000000000877000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c84ae91054b08d593b81076ef69e148f.exe
| MD5 | 389381f5147ada0b7e898c8f12317603 |
| SHA1 | f797429f7fcd187cc390746afa12a94fc88338b4 |
| SHA256 | d93b31b2dae7ebeb31f8f435f881980effe7f7e59180c7d95c4dcbb3b999a554 |
| SHA512 | c300f668a7a06fd9f0275e797a033cfc0a3cec0573385e2b5fd672e1c1b567a5de601d672ced1d87d15a3bdb174484fd7b7b0e31442309787a21860d8158b090 |
memory/3536-15-0x0000000001EE0000-0x0000000002357000-memory.dmp
memory/3536-14-0x0000000000400000-0x000000000064D000-memory.dmp
memory/3536-20-0x0000000000400000-0x0000000000640000-memory.dmp
memory/3536-22-0x00000000059B0000-0x0000000005BFD000-memory.dmp