Analysis Overview
SHA256
a262c8414eafbd3587c395b4a6b08ba010efcb4681c1759396386de7d223a50b
Threat Level: Known bad
The file 0x00080000000122ea-60.dat was found to be: Known bad.
Malicious Activity Summary
Gozi_ifsb family
Gozi, Gozi IFSB
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Reads user/profile data of web browsers
Deletes itself
Checks BIOS information in registry
Checks whether UAC is enabled
Kills process with WMI
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-21 21:38
Signatures
Gozi_ifsb family
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-21 21:38
Reported
2022-03-21 21:40
Platform
win7-20220311-en
Max time kernel
4294181s
Max time network
123s
Command Line
Signatures
Gozi, Gozi IFSB
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1328 wrote to memory of 844 | N/A | C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe | C:\Windows\system32\cmd.exe |
| PID 1328 wrote to memory of 844 | N/A | C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe | C:\Windows\system32\cmd.exe |
| PID 1328 wrote to memory of 844 | N/A | C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe | C:\Windows\system32\cmd.exe |
| PID 844 wrote to memory of 1660 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
| PID 844 wrote to memory of 1660 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
| PID 844 wrote to memory of 1660 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\choice.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe
"C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "0x00080000000122ea-60.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 1
Network
Files
memory/1328-54-0x000007FEFD1F0000-0x000007FEFD25C000-memory.dmp
memory/1328-55-0x0000000000070000-0x0000000000071000-memory.dmp
memory/1328-56-0x000007FE80010000-0x000007FE80011000-memory.dmp
memory/1328-60-0x000000003F450000-0x000000004017A000-memory.dmp
memory/1328-61-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-21 21:38
Reported
2022-03-21 21:40
Platform
win10v2004-20220310-en
Max time kernel
125s
Max time network
135s
Command Line
Signatures
Gozi, Gozi IFSB
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe | N/A |
Kills process with WMI
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe
"C:\Users\Admin\AppData\Local\Temp\0x00080000000122ea-60.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C ping -n 2 127.0.0.1>%temp%\log2 && rd /s /q %appdata%\Sysfiles & rd /s /q %temp%
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate
C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
C:\Windows\System32\Wbem\WMIC.exe
wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' call terminate
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C erase %temp% /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & ping -n 10 127.0.0.1>%temp%\log1 && erase %temp% /s /f /q & rd /s /q %appdata%\Sysfiles
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C erase %appdata%\Sysfiles /s /f /q & wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate
C:\Windows\System32\Wbem\WMIC.exe
wmic PROCESS WHERE 'ExecutablePath LIKE '%TEMP\\%'' delete
C:\Windows\System32\Wbem\WMIC.exe
wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' call terminate
C:\Windows\System32\Wbem\WMIC.exe
wmic PROCESS WHERE 'ExecutablePath LIKE '%\\appdata\\roaming\\sysfiles\\%'' delete
C:\Windows\system32\PING.EXE
ping -n 10 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| NL | 104.80.225.205:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
Files
memory/4300-135-0x0000000180000000-0x0000000180046000-memory.dmp
memory/4300-140-0x00007FFB85560000-0x00007FFB85829000-memory.dmp
memory/4300-141-0x00007FFB87070000-0x00007FFB8712E000-memory.dmp
memory/4300-142-0x00007FFB80000000-0x00007FFB80002000-memory.dmp
memory/4300-143-0x00007FFB80030000-0x00007FFB80031000-memory.dmp
memory/4300-147-0x000000003F2C0000-0x000000003FFEA000-memory.dmp
memory/4300-148-0x00007FFB67820000-0x00007FFB682E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vcruntime140_1.dll
| MD5 | 39060b10e3364cda2ae9eb3d45cfce2d |
| SHA1 | 2311677387722fd9b3c46c037a08261325145af1 |
| SHA256 | c2c9eddf2e847c0b9b32b14e3c7175bb4e75953f60556583bcc0f78d607137bf |
| SHA512 | 9577fb523f4e7fb0ca59a8cdf0ff356a53d269f8806066cf2e56044e2ab20940d0598067884fc7b8c97acbb59ff637ba2089705f07aaf06f906e001fe3df3bef |
C:\Users\Admin\AppData\Local\Temp\vcruntime140.dll
| MD5 | bd3549bccc629a06740fbc35d4e96fa8 |
| SHA1 | 4effe52539405c86484df63f684c90487fac6db4 |
| SHA256 | 3ae20038f198472c5fca87559cb1d462632eeb93903f8c857dfa0e3f6a85965a |
| SHA512 | 91a7f43d5be995c0d1daed597b1b0041f18561cc24eddfde58726edab5917adc9eb304f049db1aea1bad2e37b274b8babc13579179704cd91cf32e316f84ae7a |
C:\Users\Admin\AppData\Local\Temp\WinRing0x64.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
C:\Users\Admin\AppData\Local\Temp\msvcp140.dll
| MD5 | 53a6dd2062e438cfdfc3327cd48e9a43 |
| SHA1 | 02f7cb32c424d06fab1937ce0203952fe0f558e6 |
| SHA256 | 9b783a58b3e1cd9976169f3ca9329f868b7980966d34a84274c2208a64f8b6fb |
| SHA512 | d24d58d940e7b77bdd36dfc1b601eed9355f9d9560152196754dbb9c1ce3276646003b23af34274b971b87c39da1681f3b1e6f81721b81c68441a12895cb9825 |
C:\Users\Admin\AppData\Local\Temp\LOG
| MD5 | eda684463427b4828ff9000103b0698b |
| SHA1 | 12cc081a35c0d5bff2eae9d9d5d794eb6d446d0e |
| SHA256 | 97212fa989b09ea2f3a2699f66adba3a3c7b500e1f3d6e218d48bbf31b9ca0eb |
| SHA512 | b438bb50f6e635430da0b7a2ebdfabe4d5c98b9f3ded027dda81f71c41c90684d70c083de85d6057c830a995d5b44f22c7501d5c50054723735430a654e15a35 |
C:\Users\Admin\AppData\Local\Temp\log1
| MD5 | 762a46951c84b66fe54acb9bb308a1a4 |
| SHA1 | 02c0812f4947c30a76801eb32137b89bca532272 |
| SHA256 | 8ff179f55be1a9908f3e33e97da8aafce587111fab0b67cd5a0cf189c4bad44d |
| SHA512 | 7fa911188ad3223776d3ba7288f8cba6362ae9b7d4142ba44f47db8fede71bf91f05bf89401570075052f778499a7a6399ddb03a5e22018dece086430144c86e |
C:\Users\Admin\AppData\Local\Temp\log1
| MD5 | 27f901942e2be9e01da24e1c80941b62 |
| SHA1 | 324a01e9417c05287f26b5734155da9d904ad763 |
| SHA256 | 34ccf4e63793d0bfdd0a1e8a836d82c8ebb9114664f0bca250d159be4aca9b5b |
| SHA512 | 6830c321d62454d97360cb7913f2aa674d74c08dc8fa62b3985cc0b685b735e980152626e45413de19dae9d79cdb2320187a87efd0be7558563113bda853caf2 |