Analysis Overview
SHA256
b363eede841cd4e93e2951ad418e7f54ccb3dfa432c5fd36af1fd0b565f71ba1
Threat Level: Known bad
The file ce318a1a4e653e0e2bf3fdaa7fbd8abf was found to be: Known bad.
Malicious Activity Summary
Gozi
UPX packed file
Executes dropped EXE
Deletes itself
Loads dropped DLL
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-16 13:41
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-16 13:41
Reported
2024-03-16 13:43
Platform
win7-20240221-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2076 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe |
| PID 2076 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe |
| PID 2076 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe |
| PID 2076 wrote to memory of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe
"C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe"
C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe
C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/2076-2-0x00000000002A0000-0x00000000003D3000-memory.dmp
memory/2076-1-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2076-0-0x0000000000400000-0x00000000008EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe
| MD5 | c192c8ed5bee5db2b7d64cc633e9919c |
| SHA1 | 6e8af141b2a1f1405e87a028ede458e2e8c4332a |
| SHA256 | bc5f9060321ad2cf99615da21e17e30e8dc4edfdf89ced13b82ed236074e5830 |
| SHA512 | d2048a32defcbfc52d99c6b306996814b0ea036007596c495eca8d84cf014daeeeccf25d8b543c142ba48bc8b971310c27a2f4560b182612f4036ccf48ab1a19 |
\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe
| MD5 | c4649b10fa8acd1f0f95a32c447941f8 |
| SHA1 | db967bb6c3123e8b2b9fa290bd34981c5eb2ec80 |
| SHA256 | 8c60825815d62e7300c674100fd10123e2585cccc0e47a2d57d58e04842cb03c |
| SHA512 | 22341c6ae7d1ce269e5ec24848eadd5abeceb23807bd14c4861e261cffc66b9843489e4214ff86b0ce8dd3c2f1b378e64c26e111fc73d8ca4502647ab45fdf56 |
memory/2076-14-0x0000000003AA0000-0x0000000003F8F000-memory.dmp
memory/2884-17-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2076-13-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe
| MD5 | 14e008214017dba0b8c7868c3dd369e6 |
| SHA1 | 699ee801a9b60602a3d6a048921779bffb196d89 |
| SHA256 | 5eb7f2b88aac0a6793722412977a82225baaaa6c8aa9f723797b6058160912ad |
| SHA512 | b90b7afac6d1a92fa5e4227941e682c9f0e9668c6fe0c0058c81584e4ba67dcca5397a4b3f5f16a6334a765eec65a2de489187db292030bf3b1d4cd628d8a87e |
memory/2884-16-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2884-20-0x0000000000230000-0x0000000000363000-memory.dmp
memory/2884-24-0x00000000034C0000-0x00000000036EA000-memory.dmp
memory/2884-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2076-31-0x0000000003AA0000-0x0000000003F8F000-memory.dmp
memory/2884-32-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-16 13:41
Reported
2024-03-16 13:43
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3880 wrote to memory of 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe |
| PID 3880 wrote to memory of 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe |
| PID 3880 wrote to memory of 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe | C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe
"C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe"
C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe
C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/3880-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3880-1-0x0000000001CA0000-0x0000000001DD3000-memory.dmp
memory/3880-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ce318a1a4e653e0e2bf3fdaa7fbd8abf.exe
| MD5 | e5f91ed3ed68bf8697d3753640f52f6f |
| SHA1 | ca25e10b28c82f82c00a2f9b123610fe9aea2d6f |
| SHA256 | 2ca51ea93cee41cea95651fa6ab9de69f85046147aa09fd3d2bb9e4fe403a7c9 |
| SHA512 | e6bc635c573228fed19418257fcf7459ea567f57ac89d20bed75275cc27953f99502358e701df277ca169d82afd4b2432bfe1c893c5fb2b0a9f0513844ee1121 |
memory/3880-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3300-14-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3300-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3300-16-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/3300-21-0x0000000005690000-0x00000000058BA000-memory.dmp
memory/3300-22-0x0000000000400000-0x000000000061D000-memory.dmp
memory/3300-29-0x0000000000400000-0x00000000008EF000-memory.dmp