Malware Analysis Report

2025-01-22 18:58

Sample ID 240316-3e5wzaeh9x
Target cf575528a060ce14c51de1dd23bf2463
SHA256 ee347e399c1aad492ed63228d083d368797bd9719e671d2b000cef8e6ec059aa
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee347e399c1aad492ed63228d083d368797bd9719e671d2b000cef8e6ec059aa

Threat Level: Known bad

The file cf575528a060ce14c51de1dd23bf2463 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

UPX packed file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-16 23:26

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 23:26

Reported

2024-03-16 23:29

Platform

win7-20240221-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe

"C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe"

C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe

C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 172.67.194.101:80 yxeepsek.net tcp

Files

memory/2276-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2276-2-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2276-1-0x0000000001B20000-0x0000000001C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe

MD5 c98b15cfd1f6e1080e17a58f55b254f0
SHA1 16070c1b96028e9373eedf5f08db937a0c8d3a20
SHA256 857f2f8be8edaad1a5491db432329f4fb4ed6b4b05f266f9538fd11c57118ec7
SHA512 4a426d75500558528218aa9fd0c5822a797590eeaaef4b4a3355ae8225289876ee0683ce2b48f4a72f6aad613ae055c554cfac934c467d5beb19494f2dec4c03

C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe

MD5 66e17a9c16c660f3433289c9ff4d0e9b
SHA1 2d2dc77f772d1b838e06555bda31c8d62f951d05
SHA256 ce4251595f05f8b9dc7a094f3198df983d21a10631b31bf23477c1860ed2c715
SHA512 5e35d73de1d78d8377925413454964a774d83e0c77de35111b466bbb92e81b7c5b9871a7a65b4dd53912f57eea2b11c57ffb7368f6d1b8c98eca2c861ceaf1d8

memory/2320-17-0x0000000001B20000-0x0000000001C53000-memory.dmp

memory/2320-19-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2320-18-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2276-16-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2276-14-0x00000000037F0000-0x0000000003CDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe

MD5 55f0acae0763d89530511009dda49a35
SHA1 ee1aa42f9eb205f341608b8dc537cdee8bf74d56
SHA256 9ddc82c9b347b2771eec414e574d19907002f866828e22f9b17ea01a62b55cd2
SHA512 3f2623213beea2c6cb4cbf17e20ffc01bfef646f5ba8dd8d2ccf6b68dde31a2e9e70ec553a18187fe5b67cd65e4ffacf200a5abbcbe203f8f4a16b6ae242e5d0

memory/2320-24-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2320-26-0x00000000035A0000-0x00000000037CA000-memory.dmp

memory/2320-32-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 23:26

Reported

2024-03-16 23:29

Platform

win10v2004-20240226-en

Max time kernel

158s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe

"C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe"

C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe

C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 8.8.8.8:53 180.144.67.172.in-addr.arpa udp
US 172.67.194.101:80 yxeepsek.net tcp
US 8.8.8.8:53 101.194.67.172.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

memory/4536-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4536-1-0x0000000001D20000-0x0000000001E53000-memory.dmp

memory/4536-2-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cf575528a060ce14c51de1dd23bf2463.exe

MD5 bd73d353197ae0f137159b58e1a61988
SHA1 7d594724c6550c31273ad6575fdd61bcbe5b4789
SHA256 91e007e89d6d907f262010e5c864ef2f2ca6f47ad9ba491da8a93f6fe7b372b9
SHA512 6764b6c8304a82f18f451f00f550a0eb48efcf4ea1aae4e925b7117ebee576a84ea4def0af7130cc1562eed7c39e3525d740e73c4dee50bec9680447cea717b5

memory/4536-12-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4516-13-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/4516-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/4516-15-0x0000000001D50000-0x0000000001E83000-memory.dmp

memory/4516-20-0x0000000005650000-0x000000000587A000-memory.dmp

memory/4516-21-0x0000000000400000-0x000000000061D000-memory.dmp

memory/4516-28-0x0000000000400000-0x00000000008EF000-memory.dmp