Malware Analysis Report

2025-08-10 18:19

Sample ID 220207-fm9hssffam
Target 44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d
SHA256 44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d
Tags
upx gozi_ifsb
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d

Threat Level: Known bad

The file 44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d was found to be: Known bad.

Malicious Activity Summary

upx gozi_ifsb

Gozi_ifsb family

UPX packed file

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-07 05:00

Signatures

Gozi_ifsb family

gozi_ifsb

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-07 05:00

Reported

2022-02-07 05:07

Platform

win7-en-20211208

Max time kernel

123s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d.exe

"C:\Users\Admin\AppData\Local\Temp\44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C551.tmp\C552.bat C:\Users\Admin\AppData\Local\Temp\44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /B /AD C:\Users

Network

N/A

Files

memory/1616-54-0x0000000075531000-0x0000000075533000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C551.tmp\C552.bat

MD5 45f069f21e8c4fdc06be07cebf8cba08
SHA1 7704251197a83e57428f546fd48d47a5e2f80d58
SHA256 ad7cb168844b757e659029bcc747c0fe25916d6062ada02ae7a2a18519c7c623
SHA512 9335d7bda86243b1e640f9cd46e2cb12e2e1a1c9dbcdc4cea88c0dc4ffcb7e3c0db5489401c9569ac468eb34df4e520eaa695cfc0a2ba8f628fcbd6dccda45c2

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-07 05:00

Reported

2022-02-07 05:07

Platform

win10v2004-en-20220113

Max time kernel

125s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d.exe

"C:\Users\Admin\AppData\Local\Temp\44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8673.tmp\8674.bat C:\Users\Admin\AppData\Local\Temp\44043135cc4c60682e3e45324e02713a675dc0d2894bc677407548e23b27881d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dir /B /AD C:\Users

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

Network

Country Destination Domain Proto
NL 20.190.160.129:443 tcp
NL 20.190.160.129:443 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\8673.tmp\8674.bat

MD5 45f069f21e8c4fdc06be07cebf8cba08
SHA1 7704251197a83e57428f546fd48d47a5e2f80d58
SHA256 ad7cb168844b757e659029bcc747c0fe25916d6062ada02ae7a2a18519c7c623
SHA512 9335d7bda86243b1e640f9cd46e2cb12e2e1a1c9dbcdc4cea88c0dc4ffcb7e3c0db5489401c9569ac468eb34df4e520eaa695cfc0a2ba8f628fcbd6dccda45c2

memory/2172-143-0x00000173B8FA0000-0x00000173B8FA4000-memory.dmp