Malware Analysis Report

2025-08-10 18:19

Sample ID 220207-sdg4eaddcj
Target a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a
SHA256 a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a
Tags
upx gozi_ifsb
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a

Threat Level: Known bad

The file a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a was found to be: Known bad.

Malicious Activity Summary

upx gozi_ifsb

Gozi_ifsb family

UPX packed file

Checks computer location settings

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-07 15:00

Signatures

Gozi_ifsb family

gozi_ifsb

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-07 15:00

Reported

2022-02-07 15:14

Platform

win7-en-20211208

Max time kernel

131s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe

"C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1035.tmp\1036.bat C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe"

Network

N/A

Files

memory/2004-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1035.tmp\1036.bat

MD5 ebc4b0ec1164af6e4e4a40e9076386fb
SHA1 e783b2cd10f46517a34c09d0796b9bfd05362ee1
SHA256 2208608f4b5237c78315bb8b571787e77cf068bea30c21b65b408cb6627062d9
SHA512 72faea89175c0dd30b088037d0f071db7c68a6d4e458b882cc26473956af2a19062a85974a6abcabee82f9cd73b85640598e28e8735824faddda836ee612824a

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-07 15:00

Reported

2022-02-07 15:15

Platform

win10v2004-en-20220113

Max time kernel

182s

Max time network

192s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe

"C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\65B7.tmp\65C8.bat C:\Users\Admin\AppData\Local\Temp\a22592371750b46218243d1c9fa9b7d16aec5eab8b03d569a9487736a924962a.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

Network

Country Destination Domain Proto
IE 40.126.31.137:443 tcp
IE 40.126.31.137:443 tcp
IE 40.126.31.137:443 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 52.167.249.196:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp
US 52.167.17.97:443 settings-win.data.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\65B7.tmp\65C8.bat

MD5 ebc4b0ec1164af6e4e4a40e9076386fb
SHA1 e783b2cd10f46517a34c09d0796b9bfd05362ee1
SHA256 2208608f4b5237c78315bb8b571787e77cf068bea30c21b65b408cb6627062d9
SHA512 72faea89175c0dd30b088037d0f071db7c68a6d4e458b882cc26473956af2a19062a85974a6abcabee82f9cd73b85640598e28e8735824faddda836ee612824a

memory/3484-134-0x0000016DD3130000-0x0000016DD3140000-memory.dmp

memory/3484-135-0x0000016DD3190000-0x0000016DD31A0000-memory.dmp

memory/3484-136-0x0000016DD5E90000-0x0000016DD5E94000-memory.dmp