Analysis Overview
SHA256
b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5
Threat Level: Known bad
The file b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5 was found to be: Known bad.
Malicious Activity Summary
Gozi_ifsb family
Executes dropped EXE
UPX packed file
Checks computer location settings
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-08 17:30
Signatures
Gozi_ifsb family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-08 17:30
Reported
2022-02-08 20:22
Platform
win7-en-20211208
Max time kernel
121s
Max time network
141s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\TeamViewer | C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe | N/A |
| File created | C:\Program Files\TeamViewer\__tmp_rar_sfx_access_check_259407479 | C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe | N/A |
| File created | C:\Program Files\TeamViewer\TeamViewer_Service.exe | C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe | N/A |
| File opened for modification | C:\Program Files\TeamViewer\TeamViewer_Service.exe | C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe
"C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\2F3C.bat C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"
C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe
3.exe
Network
Files
memory/1620-53-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\2F3C.bat
| MD5 | 7688e4b2098cc4bfb5295d55d3659381 |
| SHA1 | 5f4b29aa961de5446d76b445e64d943267c8f08f |
| SHA256 | 614cb24d7c29f1bea256029241387424d6678baa8b84cdb3e88267627d186232 |
| SHA512 | 2a75038fa98c8e7b787e51ca5756757e3a7ff736844852fce7c9915774eaaba31b5ca173165072345a90bfdd71b386550d3e97edbacd927779ec01af90f0820a |
C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe
| MD5 | e0164ff6ee36e49def5b6b851d38d22b |
| SHA1 | 1f0970e333c8a9e1be5af51576e27409ef978c1e |
| SHA256 | c24e0cc2e75365a001c5204b2a8ae50fb4a291da40f5c639bf503155ac36ae3e |
| SHA512 | 3d3798af4d5ae3b3614c70d6b1f6be908c45aeb57ccf12604db89798dfc8cda317f1fe36df7d5755188530d2ff16590309b985f88182af35bd2215714260c3d1 |
C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\3.exe
| MD5 | e0164ff6ee36e49def5b6b851d38d22b |
| SHA1 | 1f0970e333c8a9e1be5af51576e27409ef978c1e |
| SHA256 | c24e0cc2e75365a001c5204b2a8ae50fb4a291da40f5c639bf503155ac36ae3e |
| SHA512 | 3d3798af4d5ae3b3614c70d6b1f6be908c45aeb57ccf12604db89798dfc8cda317f1fe36df7d5755188530d2ff16590309b985f88182af35bd2215714260c3d1 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-08 17:30
Reported
2022-02-08 20:23
Platform
win10v2004-en-20220113
Max time kernel
151s
Max time network
173s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\TeamViewer | C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe | N/A |
| File created | C:\Program Files\TeamViewer\__tmp_rar_sfx_access_check_30264765 | C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe | N/A |
| File created | C:\Program Files\TeamViewer\TeamViewer_Service.exe | C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe | N/A |
| File opened for modification | C:\Program Files\TeamViewer\TeamViewer_Service.exe | C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\pending.xml | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1700 wrote to memory of 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe | C:\Windows\system32\cmd.exe |
| PID 1700 wrote to memory of 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe | C:\Windows\system32\cmd.exe |
| PID 3392 wrote to memory of 2244 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe |
| PID 3392 wrote to memory of 2244 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe |
| PID 3392 wrote to memory of 2244 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe
"C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\975B.tmp\975C.bat C:\Users\Admin\AppData\Local\Temp\b8e1c2faba54c996024d3d9695e0b9e8547dd65b7a0f4c16d1f69a0c5596a1b5.exe"
C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe
3.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| AU | 104.46.162.226:443 | tcp | |
| US | 20.190.151.69:443 | tcp | |
| US | 20.190.151.69:443 | tcp | |
| US | 8.8.8.8:53 | crl3.digicert.com | udp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | crl3.digicert.com | tcp |
| US | 8.8.8.8:53 | crl4.digicert.com | udp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.168.112.67:443 | tcp | |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 8.238.20.126:80 | tcp | |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\975B.tmp\975C.bat
| MD5 | 7688e4b2098cc4bfb5295d55d3659381 |
| SHA1 | 5f4b29aa961de5446d76b445e64d943267c8f08f |
| SHA256 | 614cb24d7c29f1bea256029241387424d6678baa8b84cdb3e88267627d186232 |
| SHA512 | 2a75038fa98c8e7b787e51ca5756757e3a7ff736844852fce7c9915774eaaba31b5ca173165072345a90bfdd71b386550d3e97edbacd927779ec01af90f0820a |
C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe
| MD5 | e0164ff6ee36e49def5b6b851d38d22b |
| SHA1 | 1f0970e333c8a9e1be5af51576e27409ef978c1e |
| SHA256 | c24e0cc2e75365a001c5204b2a8ae50fb4a291da40f5c639bf503155ac36ae3e |
| SHA512 | 3d3798af4d5ae3b3614c70d6b1f6be908c45aeb57ccf12604db89798dfc8cda317f1fe36df7d5755188530d2ff16590309b985f88182af35bd2215714260c3d1 |
C:\Users\Admin\AppData\Local\Temp\975B.tmp\3.exe
| MD5 | e0164ff6ee36e49def5b6b851d38d22b |
| SHA1 | 1f0970e333c8a9e1be5af51576e27409ef978c1e |
| SHA256 | c24e0cc2e75365a001c5204b2a8ae50fb4a291da40f5c639bf503155ac36ae3e |
| SHA512 | 3d3798af4d5ae3b3614c70d6b1f6be908c45aeb57ccf12604db89798dfc8cda317f1fe36df7d5755188530d2ff16590309b985f88182af35bd2215714260c3d1 |
memory/2984-133-0x000002341F620000-0x000002341F630000-memory.dmp
memory/2984-134-0x000002341F680000-0x000002341F690000-memory.dmp
memory/2984-135-0x0000023421D40000-0x0000023421D44000-memory.dmp