Analysis Overview
SHA256
20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161
Threat Level: Known bad
The file 20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161 was found to be: Known bad.
Malicious Activity Summary
Gozi family
Gozi
Executes dropped EXE
Loads dropped DLL
Deletes itself
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-20 20:51
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-20 20:51
Reported
2024-11-20 20:54
Platform
win7-20240903-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Gozi
Gozi family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe
"C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe"
C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe
C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe
Network
Files
memory/2092-0-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2092-8-0x0000000000030000-0x000000000003E000-memory.dmp
memory/2092-1-0x0000000000400000-0x000000000041B000-memory.dmp
\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe
| MD5 | d9501bf36a9f17fef0a3e87c6c000295 |
| SHA1 | 961d96c60dbdade172a311dfe47ec5cd79cd0abc |
| SHA256 | 1f2f31fa2408ee6c09cc7d54cd7241dff0008c060062896fb5e795ec79e190ec |
| SHA512 | 7f7caec09171b7d67d4943afe63ad57a3b3da11e9d5d744cc03ec6737a04b4305b55d49121608c05c64376852c21709dee4c550f63639ccf6676ee0d44e55718 |
memory/2348-17-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2092-15-0x0000000000160000-0x000000000019A000-memory.dmp
memory/2092-14-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2348-18-0x0000000000030000-0x000000000003E000-memory.dmp
memory/2348-29-0x00000000001F0000-0x000000000020B000-memory.dmp
memory/2348-25-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2348-19-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2348-30-0x0000000000400000-0x000000000043A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-20 20:51
Reported
2024-11-20 20:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe
"C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe"
C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe
C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/852-0-0x0000000000400000-0x000000000043A000-memory.dmp
memory/852-1-0x00000000001C0000-0x00000000001CE000-memory.dmp
memory/852-2-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\20f5d3447421fd9a15e00046cf65706a23bf1641c70846addaab7aec70858161.exe
| MD5 | 8a296ab9ee3a612cbec835649d4cb5ff |
| SHA1 | 153326a06cd7f5cd0fc85e443355ce60908f241d |
| SHA256 | 5248eb5245bddb2c2e9eda49a1745613421a4c9fd393688512b5648f3412a56e |
| SHA512 | 70b277d50dd8e029e771531de3ef845aa2faac951910db79aca9650c843c975ddd2e82e9d58407b6a531c5ff00025b55f67cf55dd52ece45ff0a488634980278 |
memory/1756-13-0x0000000000400000-0x000000000043A000-memory.dmp
memory/852-12-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1756-14-0x00000000000C0000-0x00000000000CE000-memory.dmp
memory/1756-15-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1756-25-0x00000000001D0000-0x00000000001EB000-memory.dmp
memory/1756-20-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1756-26-0x0000000000400000-0x000000000043A000-memory.dmp