Analysis Overview
SHA256
a625bda6c2cf2b558aea45d12aa364c07f0fd634a4562a1de9a19ad04c319b8a
Threat Level: Known bad
The file cbfedc43f718fa811669ade61aab7ab0 was found to be: Known bad.
Malicious Activity Summary
Gozi
Executes dropped EXE
UPX packed file
Deletes itself
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-15 17:27
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 17:27
Reported
2024-03-15 17:29
Platform
win7-20240221-en
Max time kernel
118s
Max time network
128s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2924 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe |
| PID 2924 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe |
| PID 2924 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe |
| PID 2924 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe
"C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe"
C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe
C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2924-1-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/2924-0-0x0000000000400000-0x0000000000622000-memory.dmp
memory/2924-4-0x0000000000130000-0x0000000000261000-memory.dmp
\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe
| MD5 | 49a8fd7e226b9cc240725428b8e392bc |
| SHA1 | b0d42a5ddff4de81adadba2d1901158ccc6ecf10 |
| SHA256 | 7a17458dd3122f119f6cd16ef4639061bc3ade9ef518bb0a41f88d53ad673f9c |
| SHA512 | 038110a67fb484cc0e28d8a3e82e306cc52fff03d30e9198db0a9bff6cb5ec3afa490684b41f836a003b7ac250c605fdc4d374259c13945cd854688d441ea82d |
memory/2924-15-0x0000000003740000-0x0000000003C27000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe
| MD5 | 95fc3c3474728c75081700f23d269e7f |
| SHA1 | a4eca9309a8bd52d5c7deefaf3c8a1958f6917cf |
| SHA256 | 8a8070d3304f96f03acc27575372ceb17d9fb28aada7d0a05cb0a1e958cb41f5 |
| SHA512 | e048d2db7cf3cdfa6fa77276db80a23e357f2a05ea1428288d5f253cfbc47acd34020b2f41a6637518774db036008a5e25a3f0431ebe21b4164757a01c518b65 |
memory/2924-14-0x0000000000400000-0x0000000000622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe
| MD5 | 4f56eda5bc3c030540ee8596690f3d4f |
| SHA1 | ea51cf2d739b4ade2f93cb98e222806913708c35 |
| SHA256 | d55bd7d9d1fd9df9a2e00c73ef39061240221403a2d86f132a2ebf91ee1cb520 |
| SHA512 | 37528af2a5c3608efc5d1424fde3d696cc224753d04850b525682b848fd11e567c17a1a37274a0241a21dccdd91d803be526a75dfb360887bc09466c55ce6dfa |
memory/2548-16-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/2548-18-0x0000000001B10000-0x0000000001C41000-memory.dmp
memory/2548-17-0x0000000000400000-0x0000000000622000-memory.dmp
memory/2548-23-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2548-24-0x00000000033F0000-0x0000000003612000-memory.dmp
memory/2924-31-0x0000000003740000-0x0000000003C27000-memory.dmp
memory/2548-32-0x0000000000400000-0x00000000008E7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-15 17:27
Reported
2024-03-15 17:29
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4368 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe |
| PID 4368 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe |
| PID 4368 wrote to memory of 4684 | N/A | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe | C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe
"C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe"
C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe
C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| GB | 216.58.212.202:443 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.135.221.88.in-addr.arpa | udp |
Files
memory/4368-0-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/4368-1-0x00000000018F0000-0x0000000001A21000-memory.dmp
memory/4368-2-0x0000000000400000-0x0000000000622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cbfedc43f718fa811669ade61aab7ab0.exe
| MD5 | 8198e7c4e9e71084ed3cc44d8b4a081e |
| SHA1 | 7f9c2d366c5e78a544c451980503694994edcfad |
| SHA256 | 28ed63d1b70c632b46e9b98da098c77eac5cc9170c4632163ec42ea6ab52b2a5 |
| SHA512 | d95b998f58ec598a85c6de8b8273ca76a887659523d380400d84a78e8e49164f8aaabcb3290f8f3bbb9e052ea0d2a67a4cc30c4be415803c90b8f2c7183538f5 |
memory/4368-13-0x0000000000400000-0x0000000000622000-memory.dmp
memory/4684-14-0x00000000018F0000-0x0000000001A21000-memory.dmp
memory/4684-15-0x0000000000400000-0x0000000000622000-memory.dmp
memory/4684-12-0x0000000000400000-0x00000000008E7000-memory.dmp
memory/4684-21-0x0000000005570000-0x0000000005792000-memory.dmp
memory/4684-20-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4684-28-0x0000000000400000-0x00000000008E7000-memory.dmp