Analysis Overview
SHA256
eeb959d3aee93a8c870d7dd0dbd9724528828f61b82617e0766e8bb2edae4b2a
Threat Level: Known bad
The file d33275dc6c004d89ee576cd9b99a7669 was found to be: Known bad.
Malicious Activity Summary
Gozi
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-18 09:50
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-18 09:50
Reported
2024-03-18 09:53
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1456 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe |
| PID 1456 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe |
| PID 1456 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe |
| PID 1456 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe
"C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe"
C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe
C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 104.21.73.114:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 172.67.194.101:80 | yxeepsek.net | tcp |
Files
memory/1456-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/1456-1-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1456-2-0x00000000018F0000-0x0000000001A23000-memory.dmp
\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe
| MD5 | 125c4ae2c8fd231ec66cf9118aaa3166 |
| SHA1 | c304a2a19945a8922ab76c47bd537cf6e17ffd4b |
| SHA256 | b390d75b3188eb84b72c954fb46500817ef4fc6fb07e88a1ce07b17d119db7d0 |
| SHA512 | 6a96cd73c991244e10906271e14ec9ef169a1afe3c16d997fa93382f1da2a36fc9b6b40ecf499ff8aea028f1a896d9114f6ab4e2dc9438ac9ee5eff673e6c44d |
memory/1456-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/1456-15-0x0000000003F30000-0x000000000441F000-memory.dmp
memory/2484-17-0x0000000000400000-0x000000000062A000-memory.dmp
memory/2484-19-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/2484-16-0x0000000001B20000-0x0000000001C53000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe
| MD5 | 18636558a0848530196f6b5849b9d565 |
| SHA1 | e3334999850366537dc55ae99cf09766d4b9cbe5 |
| SHA256 | 7cadaee7453f738451d7d60ec435531fbb5fd18d22dc63b600a80e34b8296a12 |
| SHA512 | 1f035c09d43f5389cfb823586f3c205925d52c2d60e3bd84b85b5e9d3264a5aae26911e5df17933cf154b964e01ca5617f9d67d04cba5072e053e4ef9555623d |
memory/2484-23-0x0000000000400000-0x000000000061D000-memory.dmp
memory/2484-25-0x0000000003410000-0x000000000363A000-memory.dmp
memory/2484-31-0x0000000000400000-0x00000000008EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-18 09:50
Reported
2024-03-18 09:53
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
131s
Command Line
Signatures
Gozi
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3860 wrote to memory of 444 | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe |
| PID 3860 wrote to memory of 444 | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe |
| PID 3860 wrote to memory of 444 | N/A | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe | C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe
"C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe"
C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe
C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipansion.com | udp |
| US | 172.67.144.180:80 | zipansion.com | tcp |
| US | 8.8.8.8:53 | yxeepsek.net | udp |
| US | 104.21.20.204:80 | yxeepsek.net | tcp |
| US | 8.8.8.8:53 | 188.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.20.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3860-0-0x0000000000400000-0x00000000008EF000-memory.dmp
memory/3860-1-0x0000000001D00000-0x0000000001E33000-memory.dmp
memory/3860-2-0x0000000000400000-0x000000000062A000-memory.dmp
memory/3860-12-0x0000000000400000-0x000000000062A000-memory.dmp
memory/444-13-0x0000000000400000-0x00000000008EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d33275dc6c004d89ee576cd9b99a7669.exe
| MD5 | 47156352a333adb43acbe24fa50f85a2 |
| SHA1 | 28d4ddc71746ae213a9acfe0ccc7b1e90aa59e61 |
| SHA256 | 336fa0fa84ec3208c5426db563072861f954faec800b3bc1bf36b6e7becb8d81 |
| SHA512 | 57f4835eec1ad165700c2f953acd9fa73f3a8d108b3251b433c0af2b15ea5f80fd41518af1db2000edc49c0230fff576c0c48b593a9053c170211075775af00a |
memory/444-15-0x0000000001DF0000-0x0000000001F23000-memory.dmp
memory/444-14-0x0000000000400000-0x000000000062A000-memory.dmp
memory/444-20-0x00000000056F0000-0x000000000591A000-memory.dmp
memory/444-21-0x0000000000400000-0x000000000061D000-memory.dmp
memory/444-28-0x0000000000400000-0x00000000008EF000-memory.dmp