Analysis Overview
SHA256
a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a
Threat Level: Known bad
The file a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a was found to be: Known bad.
Malicious Activity Summary
Gozi_ifsb family
UPX packed file
Checks computer location settings
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-07 15:00
Signatures
Gozi_ifsb family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-07 15:00
Reported
2022-02-07 15:14
Platform
win7-en-20211208
Max time kernel
131s
Max time network
132s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2004 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe | C:\Windows\system32\cmd.exe |
| PID 2004 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe | C:\Windows\system32\cmd.exe |
| PID 2004 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe | C:\Windows\system32\cmd.exe |
| PID 2004 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe
"C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1035.tmp\1036.bat C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe"
Network
Files
memory/2004-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1035.tmp\1036.bat
| MD5 | ebc4b0ec1164af6e4e4a40e9076386fb |
| SHA1 | e783b2cd10f46517a34c09d0796b9bfd05362ee1 |
| SHA256 | 2208608f4b5237c78315bb8b571787e77cf068bea30c21b65b408cb6627062d9 |
| SHA512 | 72faea89175c0dd30b088037d0f071db7c68a6d4e458b882cc26473956af2a19062a85974a6abcabee82f9cd73b85640598e28e8735824faddda836ee612824a |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-07 15:00
Reported
2022-02-07 15:15
Platform
win10v2004-en-20220113
Max time kernel
182s
Max time network
192s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3320 wrote to memory of 1396 | N/A | C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe | C:\Windows\system32\cmd.exe |
| PID 3320 wrote to memory of 1396 | N/A | C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe
"C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\65B7.tmp\65C8.bat C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
Network
| Country | Destination | Domain | Proto |
| IE | 40.126.31.137:443 | tcp | |
| IE | 40.126.31.137:443 | tcp | |
| IE | 40.126.31.137:443 | tcp | |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\65B7.tmp\65C8.bat
| MD5 | ebc4b0ec1164af6e4e4a40e9076386fb |
| SHA1 | e783b2cd10f46517a34c09d0796b9bfd05362ee1 |
| SHA256 | 2208608f4b5237c78315bb8b571787e77cf068bea30c21b65b408cb6627062d9 |
| SHA512 | 72faea89175c0dd30b088037d0f071db7c68a6d4e458b882cc26473956af2a19062a85974a6abcabee82f9cd73b85640598e28e8735824faddda836ee612824a |
memory/3484-134-0x0000016DD3130000-0x0000016DD3140000-memory.dmp
memory/3484-135-0x0000016DD3190000-0x0000016DD31A0000-memory.dmp
memory/3484-136-0x0000016DD5E90000-0x0000016DD5E94000-memory.dmp