Malware Analysis Report

2025-01-22 18:58

Sample ID 240317-d96pbadh4y
Target cfd7042d14cebab051c1a501278fbe90
SHA256 8739858213621166229ae67f37d2afecbb0b9f7e7328c1ad3a9be08eca38af1e
Tags
upx isfb gozi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8739858213621166229ae67f37d2afecbb0b9f7e7328c1ad3a9be08eca38af1e

Threat Level: Known bad

The file cfd7042d14cebab051c1a501278fbe90 was found to be: Known bad.

Malicious Activity Summary

upx isfb gozi

Gozi family

UPX packed file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-17 03:43

Signatures

Gozi family

gozi

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 03:43

Reported

2024-03-17 03:46

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe

"C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe"

C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe

C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 zipansion.com udp
US 172.67.144.180:80 zipansion.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp

Files

memory/1460-1-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1460-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1460-2-0x0000000001B20000-0x0000000001C53000-memory.dmp

\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe

MD5 b63af0432926ae549c33fbb825161bd1
SHA1 b22364df02cd9bff38d9efea0fb6c0b4bad51c32
SHA256 a37452fbe17b9ec6f83d73d379a8f0bd46f91510c369e2cc97b25c35fe02036f
SHA512 ffd1ef61ca40afe256c32d3cae7088475b07e38138c9b6e2d2b949acf353aa877d404e39134b4ba2e865facbad7a14a99efe01b9bb56a6f6c9fe9b5ac9881b00

C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe

MD5 42ffca2fabc85eaaa6c63b38f7a72116
SHA1 6f0d5494255a68aa0d6e54171b6fa083ca19e28e
SHA256 2d5a6a4678674ff255be51b86f389e5ed6d25c51822c5f8b6112d4f0f86bf612
SHA512 8b1a7c823fa59a1e9aaf0b314452759e53348ecea6f24368081d8bc7b4e3c29808dce76cb7be0e6c448fd7ceae8b16325849dd534cd0bb0de3f62c2a0a72752a

memory/1704-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1460-14-0x0000000000400000-0x000000000062A000-memory.dmp

memory/1704-16-0x0000000000130000-0x0000000000263000-memory.dmp

memory/1704-18-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/1704-22-0x0000000000400000-0x000000000061D000-memory.dmp

memory/1704-23-0x00000000033F0000-0x000000000361A000-memory.dmp

memory/1704-30-0x0000000000400000-0x00000000008EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 03:43

Reported

2024-03-17 03:46

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe

"C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe"

C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe

C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=764 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 zipansion.com udp
US 104.21.73.114:80 zipansion.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 yxeepsek.net udp
US 104.21.20.204:80 yxeepsek.net tcp
US 8.8.8.8:53 114.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 204.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.73.50.20.in-addr.arpa udp

Files

memory/2108-0-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2108-1-0x0000000001D20000-0x0000000001E53000-memory.dmp

memory/2108-2-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2108-13-0x0000000000400000-0x000000000062A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cfd7042d14cebab051c1a501278fbe90.exe

MD5 e94b4edab2384e237f97aacf3d85dc3d
SHA1 318f221cf1ceb23331e9576a33c79a048ae23bac
SHA256 524bae1499de26e01494eaccc6baf5eb815a30aaa6c2c7415c4977baae0b1cbd
SHA512 47578d6efc4b41c8e58fee18c784f205fae136a4c77842f4d1762ffad9e75d09a9f516f4274d8093742fd8a709f0538c9423a4b9c48d802e302714b8f24668d7

memory/2164-14-0x0000000000400000-0x00000000008EF000-memory.dmp

memory/2164-15-0x0000000000400000-0x000000000062A000-memory.dmp

memory/2164-16-0x00000000018F0000-0x0000000001A23000-memory.dmp

memory/2164-21-0x00000000055A0000-0x00000000057CA000-memory.dmp

memory/2164-22-0x0000000000400000-0x000000000061D000-memory.dmp

memory/2164-29-0x0000000000400000-0x00000000008EF000-memory.dmp