Analysis Overview
SHA256
9026590e79114e36f163e553c9d16fcb3f927b73eed29275458cc81a16fd9a73
Threat Level: Known bad
The file d2cde8dfbeaf047336dce64ffb44d093 was found to be: Known bad.
Malicious Activity Summary
Gozi
UPX packed file
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-18 06:25
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-18 06:25
Reported
2024-03-18 06:27
Platform
win7-20240215-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2744 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe |
| PID 2744 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe |
| PID 2744 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe |
| PID 2744 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe
"C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe"
C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe
C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
Files
memory/2744-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2744-1-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2744-2-0x0000000000130000-0x0000000000263000-memory.dmp
\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe
| MD5 | dcaac442a5c2a1591f93acea0f8a14c7 |
| SHA1 | 2a8192ef37b670435fe74b50a44e8a989d84a0d4 |
| SHA256 | 5844076b1c650b2eab9eda99188229cf58028a46b90ee47676416ef7a83ed970 |
| SHA512 | 7619ae4dcf1282129ac43b409dd1e490c97ea95b8c2ef47b1882f0c6593ea0c90533373a497746d86b09ae528c4443d1995058df492153a1c9a1c68e9f8704f5 |
memory/2744-14-0x00000000038F0000-0x0000000003DDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe
| MD5 | 8d21f0d96e87db54e9e7baf4ab2aea7f |
| SHA1 | 9749bcef151b4935f8f3ed03baccc6615be1dff7 |
| SHA256 | 4deb258d5fe187d83ca6013dcc7bf3aa540f382ea00c0911e74f1c92776e671d |
| SHA512 | 9f9a09a5adb9515bbbf4196fb6e5c8bd77e8165df94e5f34ed7126c46a3dfa6672adb9206949cfc04b9ed41c5e99258300b385b1c713f7b4019350ae55feda0d |
memory/2744-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3008-17-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3008-16-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3008-19-0x0000000000240000-0x0000000000373000-memory.dmp
memory/3008-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/3008-24-0x00000000034D0000-0x00000000036FA000-memory.dmp
memory/3008-31-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-18 06:25
Reported
2024-03-18 06:27
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 4180 | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe |
| PID 2168 wrote to memory of 4180 | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe |
| PID 2168 wrote to memory of 4180 | N/A | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe | C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe
"C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe"
C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe
C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| GB | 92.123.128.161:443 | www.bing.com | tcp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/2168-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2168-1-0x0000000001C40000-0x0000000001D73000-memory.dmp
memory/2168-2-0x0000000000400000-0x000000000062A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d2cde8dfbeaf047336dce64ffb44d093.exe
| MD5 | 92236f16d85b72f6265f4c957b690631 |
| SHA1 | 9864608de578c84d88e6db9120260172bea993ff |
| SHA256 | 452b88574cc7ed8dcb00fc5a549f8307ca95913299b64fe0842919d80781bcbf |
| SHA512 | 6da272e755a00d0a4ab0fbe01a98e14ef464fe06c4476fabe44c980b4498f46ea36eca139165c1e2594ce43a9a3e92b160b6ff3dbc31f4e94dc2de017befd55d |
memory/4180-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2168-13-0x0000000000400000-0x000000000062A000-memory.dmp
memory/4180-15-0x0000000001D70000-0x0000000001EA3000-memory.dmp
memory/4180-12-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/4180-21-0x0000000005670000-0x000000000589A000-memory.dmp
memory/4180-20-0x0000000000400000-0x000000000061D000-memory.dmp
memory/4180-28-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/4288-29-0x0000018F01F80000-0x0000018F01F90000-memory.dmp
memory/4288-45-0x0000018F02080000-0x0000018F02090000-memory.dmp
memory/4288-61-0x0000018F0A670000-0x0000018F0A671000-memory.dmp
memory/4288-62-0x0000018F0A680000-0x0000018F0A681000-memory.dmp
memory/4288-63-0x0000018F0A680000-0x0000018F0A681000-memory.dmp
memory/4288-64-0x0000018F0A680000-0x0000018F0A681000-memory.dmp
memory/4288-65-0x0000018F0A680000-0x0000018F0A681000-memory.dmp
memory/4288-66-0x0000018F0A680000-0x0000018F0A681000-memory.dmp
memory/4288-67-0x0000018F0A680000-0x0000018F0A681000-memory.dmp
memory/4288-68-0x0000018F0A680000-0x0000018F0A681000-memory.dmp
memory/4288-69-0x0000018F0A680000-0x0000018F0A681000-memory.dmp
memory/4288-70-0x0000018F0A680000-0x0000018F0A681000-memory.dmp
memory/4288-71-0x0000018F0A680000-0x0000018F0A681000-memory.dmp
memory/4288-72-0x0000018F0A2C0000-0x0000018F0A2C1000-memory.dmp
memory/4288-73-0x0000018F0A2B0000-0x0000018F0A2B1000-memory.dmp
memory/4288-75-0x0000018F0A2C0000-0x0000018F0A2C1000-memory.dmp
memory/4288-78-0x0000018F0A2B0000-0x0000018F0A2B1000-memory.dmp