Analysis Overview
SHA256
235991df38888107f40151fdb491f2f92c78c8c9d87fcc23c7d574b572c53c7c
Threat Level: Known bad
The file cf166c2b80996bf38ef72d5688a7faca was found to be: Known bad.
Malicious Activity Summary
Gozi
UPX packed file
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-16 21:14
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-16 21:14
Reported
2024-03-16 21:16
Platform
win7-20240221-en
Max time kernel
117s
Max time network
139s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe |
| PID 3048 wrote to memory of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe |
| PID 3048 wrote to memory of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe |
| PID 3048 wrote to memory of 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe
"C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe"
C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe
C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
Files
memory/3048-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3048-1-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3048-2-0x0000000000130000-0x0000000000263000-memory.dmp
\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe
| MD5 | 51383ffbc7da18575021a71e7247e535 |
| SHA1 | 325de6c10cf0363a36c5d2bd064bc5ae2044be98 |
| SHA256 | 2e8aa4b6a897795c04d07d9743c2831cc2d6104f1d2885374429fb8851d42e7a |
| SHA512 | 8bedf8ab462fcf07963ab9f6bf252d2449489818b2a9657461eb6d699d0a6aa2da0044a11a939983b70ab091e101bffa26fcf84f5fb08f309bb32b463a8c875a |
C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe
| MD5 | f425263df099a6d9b111f00364cc506f |
| SHA1 | f8bfe402a39a3435f801435f0f5dd07a01408d46 |
| SHA256 | 9ef3491d4ea47bac46d5a5f469728853b142bb34a633c9ed908855fbfa2f7030 |
| SHA512 | d01cde5c26b33fb9ea45cbd03388c28244060138ba609388390d8dea2aac0bc0c05fc6e49e0f270cdeb957389d634808d83aaa096adee114f5088165dd797c14 |
memory/3048-14-0x0000000003DB0000-0x000000000429F000-memory.dmp
memory/2468-16-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2468-18-0x0000000001B20000-0x0000000001C53000-memory.dmp
memory/2468-17-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3048-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2468-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2468-24-0x00000000035A0000-0x00000000037CA000-memory.dmp
memory/2468-31-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-16 21:14
Reported
2024-03-16 21:17
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2896 wrote to memory of 4756 | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe |
| PID 2896 wrote to memory of 4756 | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe |
| PID 2896 wrote to memory of 4756 | N/A | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe | C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe
"C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe"
C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe
C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.194.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/2896-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2896-1-0x0000000001C60000-0x0000000001D93000-memory.dmp
memory/2896-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cf166c2b80996bf38ef72d5688a7faca.exe
| MD5 | e39513159da2f71b8167f64c40f7d724 |
| SHA1 | e378c45a0dc020ee6bd8c1909eb837179245dfbb |
| SHA256 | 5483bfa059668b6f53a13f961a6e8dd7d030ee5d9151e669f59566bca57bf102 |
| SHA512 | 9c2d8546927a84753ef63994431bd8eac96290f98a2cfd9fda81601aa889edd124510a999a196fa25ab2db2c6719bd1ce6c27e9e7bedd7cb93e650a187c3bd80 |
memory/2896-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/4756-13-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/4756-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/4756-14-0x0000000001CF0000-0x0000000001E23000-memory.dmp
memory/4756-20-0x00000000055F0000-0x000000000581A000-memory.dmp
memory/4756-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/4756-28-0x0000000000400000-0x00000000008EF000-memory.dmp