Analysis Overview
SHA256
1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9
Threat Level: Known bad
The file 1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe was found to be: Known bad.
Malicious Activity Summary
Gozi family
Gozi
Executes dropped EXE
Checks computer location settings
UPX packed file
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-23 17:33
Signatures
Gozi family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-23 17:33
Reported
2024-11-23 17:35
Platform
win7-20240708-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Gozi
Gozi family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\ash_inet2.dll | C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\ash_inet2.dll | C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Ashampoo | C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19 | C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe | N/A |
| File created | C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\__tmp_rar_sfx_access_check_259449896 | C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe
"C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E292.tmp\E293.bat C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"
C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe
2.exe
Network
Files
memory/2172-0-0x0000000000400000-0x00000000005B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E292.tmp\E293.bat
| MD5 | a4d54825c48a32efc53e34ea0f588d1c |
| SHA1 | cd5815db470cf3af4d6ce658151eb24fef1c664f |
| SHA256 | a80606f4473428d06cee3e62fd68ec7fc9b99a563260a5ed0d012d76634efe39 |
| SHA512 | 74058d5b0e14ad7b453ed6119e483d3ac3281405f29f2f804c67c0e3b112c68349d8893e8232e3ca93695f43705fcf6a18ec3f6016e68bfe11b1b10a79ba723b |
C:\Users\Admin\AppData\Local\Temp\E292.tmp\2.exe
| MD5 | a99128027215ad1dbb57216f1609bd2b |
| SHA1 | aa945b1d72e6593d6961f2186a99dacf40910153 |
| SHA256 | 8c9345cd34b8f57a49574df8131f44b7d643edd20a653cd51f508dafaad0c4de |
| SHA512 | 391d3dfbbbcc2f22d7fab75572bf5fa6876e0703ad688fb00a293b1df4fae53077c64139d4a2f14fbe9d088595974fde91d4da7137f5c91fda36a6eb89a2176c |
memory/2172-10-0x0000000000400000-0x00000000005B5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-23 17:33
Reported
2024-11-23 17:35
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
96s
Command Line
Signatures
Gozi
Gozi family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\ash_inet2.dll | C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\ash_inet2.dll | C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Ashampoo | C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19 | C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe | N/A |
| File created | C:\Program Files (x86)\Ashampoo\Ashampoo Burning Studio 19\__tmp_rar_sfx_access_check_240622734 | C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5068 wrote to memory of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe | C:\Windows\system32\cmd.exe |
| PID 5068 wrote to memory of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe | C:\Windows\system32\cmd.exe |
| PID 3048 wrote to memory of 4336 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe |
| PID 3048 wrote to memory of 4336 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe |
| PID 3048 wrote to memory of 4336 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe
"C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\9A1E.bat C:\Users\Admin\AppData\Local\Temp\1064209b82e6125f69c084040f0b6974318e4177827ee3aa0677854f3b9d6ad9.exe"
C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe
2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/5068-0-0x0000000000400000-0x00000000005B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\9A1E.bat
| MD5 | a4d54825c48a32efc53e34ea0f588d1c |
| SHA1 | cd5815db470cf3af4d6ce658151eb24fef1c664f |
| SHA256 | a80606f4473428d06cee3e62fd68ec7fc9b99a563260a5ed0d012d76634efe39 |
| SHA512 | 74058d5b0e14ad7b453ed6119e483d3ac3281405f29f2f804c67c0e3b112c68349d8893e8232e3ca93695f43705fcf6a18ec3f6016e68bfe11b1b10a79ba723b |
C:\Users\Admin\AppData\Local\Temp\9A1D.tmp\2.exe
| MD5 | a99128027215ad1dbb57216f1609bd2b |
| SHA1 | aa945b1d72e6593d6961f2186a99dacf40910153 |
| SHA256 | 8c9345cd34b8f57a49574df8131f44b7d643edd20a653cd51f508dafaad0c4de |
| SHA512 | 391d3dfbbbcc2f22d7fab75572bf5fa6876e0703ad688fb00a293b1df4fae53077c64139d4a2f14fbe9d088595974fde91d4da7137f5c91fda36a6eb89a2176c |
memory/5068-10-0x0000000000400000-0x00000000005B5000-memory.dmp