Analysis Overview
SHA256
1936713a6318021fbd5a0893483bc671804117d5c6ac3fb4566cf0eb66326bb6
Threat Level: Known bad
The file cfcf03e542480fb6ed96b729d2b5beff was found to be: Known bad.
Malicious Activity Summary
Gozi
Gozi family
Executes dropped EXE
Loads dropped DLL
Deletes itself
UPX packed file
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-17 03:28
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-17 03:28
Reported
2024-03-17 03:30
Platform
win7-20240221-en
Max time kernel
118s
Max time network
135s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1812 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe |
| PID 1812 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe |
| PID 1812 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe |
| PID 1812 wrote to memory of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe
"C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe"
C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe
C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
Files
memory/1812-0-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1812-2-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1812-4-0x0000000001B20000-0x0000000001C53000-memory.dmp
\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe
| MD5 | 5154bd1fd30757b74adbc3f1b245731f |
| SHA1 | c97003fd5b3f1fadc0948576dc037e67121d6fe5 |
| SHA256 | c07a377acf55b255dda36ef952ed501ccfc8de940772de42a50caff880f285ac |
| SHA512 | 8a19e2f1c2e2b3aad1c2b87bafa39782919770a8050dfc630109d25ab8bf880c33b8963a624997bd27637afd578547b66dede689efe7844759a73324ae322553 |
C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe
| MD5 | 99bb5477577220171d06951028e05c3d |
| SHA1 | 0e32054d89299653ccc0918dd1858b6a7280b2f4 |
| SHA256 | 58130ffb586abd80fb7145b9bbe59df6e2b8f222469ddb52d358f9098e90f2af |
| SHA512 | 1183ed2a73c28d8600e805eb6f120832fe87ab7dc768011c7d396079d723913cfead1dc373372c9bf25b3eedd5994cc5afc85365b992c656cf72c10980a91bcc |
memory/2772-16-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1812-14-0x0000000003E60000-0x000000000434F000-memory.dmp
memory/1812-13-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe
| MD5 | b15511522a2e5f2572e36f2a20410458 |
| SHA1 | 7c4f078761f806aa9f5345312f2e5c7f92a4e08b |
| SHA256 | 6c7114bd47773b1de6c4a190d9be32576b30208454442c49d4671cd6b0223764 |
| SHA512 | 012f359814f9df7006434e7ea2f389c2f906e94bb67ae257aa407ef86e0f201622c72d1280977d1d4760f636e7cb705de580fde72171ede314b4d11b3e62b3a4 |
memory/2772-18-0x00000000002C0000-0x00000000003F3000-memory.dmp
memory/2772-17-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2772-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2772-25-0x00000000036E0000-0x000000000390A000-memory.dmp
memory/1812-31-0x0000000003E60000-0x000000000434F000-memory.dmp
memory/2772-32-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-17 03:28
Reported
2024-03-17 03:30
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4984 wrote to memory of 3804 | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe |
| PID 4984 wrote to memory of 3804 | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe |
| PID 4984 wrote to memory of 3804 | N/A | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe | C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe
"C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe"
C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe
C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 114.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/4984-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/4984-1-0x00000000018F0000-0x0000000001A23000-memory.dmp
memory/4984-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cfcf03e542480fb6ed96b729d2b5beff.exe
| MD5 | 90884e49d89bb4b4cbaad31a704bb0a1 |
| SHA1 | 19a4846ecd77d5760c6081b1ccfa5407675b91d1 |
| SHA256 | e6b382a4a7a957b01f5aa77cf365fbcb04cf6a747890a57e569d0ca882ae3217 |
| SHA512 | e9d86a489cf46a40b31ea92a5be1c441c8fa030668610ea08778320d507a48089a12a82168d62255a0e499308113f0ebdc37908160f4700c2e6de10af1df1393 |
memory/4984-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3804-15-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3804-16-0x0000000001DA0000-0x0000000001ED3000-memory.dmp
memory/3804-14-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3804-22-0x0000000000400000-0x000000000061D000-memory.dmp
memory/3804-21-0x00000000056A0000-0x00000000058CA000-memory.dmp
memory/3804-29-0x0000000000400000-0x00000000008EF000-memory.dmp