Malware Analysis Report

2025-08-06 04:27

Sample ID 220321-pf4teacah5
Target 1808-57-0x0000000000170000-0x000000000017E000-memory.dmp
SHA256 15622fff703648c6b515892046f883f4737e55d08e11fec5bbfed084e922ce4c
Tags
7625 gozi_ifsb
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15622fff703648c6b515892046f883f4737e55d08e11fec5bbfed084e922ce4c

Threat Level: Known bad

The file 1808-57-0x0000000000170000-0x000000000017E000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

7625 gozi_ifsb

Gozi_ifsb family

Program crash

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-03-21 12:17

Signatures

Gozi_ifsb family

gozi_ifsb

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-21 12:17

Reported

2022-03-21 12:19

Platform

win7-20220311-en

Max time kernel

4294182s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1808-57-0x0000000000170000-0x000000000017E000-memory.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1808-57-0x0000000000170000-0x000000000017E000-memory.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1808-57-0x0000000000170000-0x000000000017E000-memory.dll,#1

Network

N/A

Files

memory/580-54-0x0000000075561000-0x0000000075563000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-21 12:17

Reported

2022-03-21 12:19

Platform

win10v2004-20220310-en

Max time kernel

131s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1808-57-0x0000000000170000-0x000000000017E000-memory.dll,#1

Signatures

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\001800080F67B489 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000afe742e3b331d7a347bf94bf40535f6be2db3eb0f41c86361317b9cbe3b5a8ac000000000e8000000002000020000000e69324334b4c2169af8e1634fe6d59f48afbc5762bb4c8c7093fffd927bcc68a800000008531dc18771a7e58d16dcaaec9740747fd2faec943bfc547f453f838c1766e476776eadaf94f1dd32d7a2f252c43e2a336c3650d2c13e5ba7d37ff3c2eaca645840741b31f03455b7a6e1e3ec7f428ce11053eb6edcb602d085d87016a9b705e60a1f9e9fb91d136147e4a161689ff8a39fa7f01174f60fd22522ba073b9f76740000000f5850ba04759a54a051e290f27fab78308dbc26bbb5ebcf97f5f56fdbe79545c9d69644ab4c194ad55f1f41a6c2a41c4cfd98b593fae6809aa5776e7efceb6de C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000004395b077919cddf31664d1b1ca976a8d78471336af33486fd3f1a8968e1b74e6000000000e8000000002000020000000280965c5aedc4e40fa55767c6cd99bcbe47419e0abadae34375a8472aa58674f100d0000b2273b22a2befc8c30c2086ef0dd5bca85038573c5bef233674b9b81fc38d8bc14a825bdda0acebe2a3a621a398bb2aa6f41e6740d0bb5488dc543c172b1fc9dbddbf34ecb5b828c337a310785f083ea7bdde52604b1d94f2d86c975e6abe19734a2329dac6e9303db1bfe54343ba17be3109c70a05924d9cc6a3e697d3f4d2e8d90fc70614f8a92bfb4066dd82d77a152b493123f9b14be5800bf4b71e3460d0c56f6a23f65f7ae2fc9a4e285da0ca8b5c0a016dd52b25fe6bcfb300f277f91b0cd41ce9c88a102bffecd1215ddf647af0fdcb55c4ceeb8f08d146e10cc2a36664cea3b894e499e6e4e3bf0d72bd5888d52adb7781b852105f3d6a5d4e7ff2bf609206dfeccbf9abb94add90fab819751225feb8e9eeee2d48a881a667cbcb60c457b6e1903206b7e47f6a314b7ca85c6c97631dd8078527ac4628d1bba52df258c9f14a8700713cd264c000c2c64419770d17f7ea4f3eff1b228f85635e2ebcc3f5831f2733ee10df7dc85a9231e70544db46fa7e791e07610aa5195afcb4bdfb419fc5b8017fedea3060077d67292234cd8020c3ef5d457a047fe11e7a5033b00dd8c31c273964b94868b57553116f7e00a7898ef956ace368d3d630de021e7f5a77ca620c129c981cf8bc463040692ec3c213974021d117470c66962fb26483fe24ed62c44ae51e9aa27ad45049d3f5c86be24c51ab8599e7cc58f7f50f76c90abc4250f40c8fafbb6801e24fee62082bda036ded6b16c399727629f5703a55336a321837bd64f56d795687016bf177bb9f990c80096ec5c14265eb5fdb4ef2a842954ae5aab3d5d55492562a9295310505102ec3f0da897fc940949177cd83a2d7d38d0a9d8a5de7a29e191b7a2c4eb4b1c65e6c3ba360edf647b6fbdb967ce268b9c21962b76c01f724af7e67ad1b88059ff577296af8c9c431e06ec6a14a2a6ece711c82e71ab142ef18a3dfa8eefd0039d721e0bb4260b4ff7e19250f397735e18b6982015695b28fcab9ce9a55a9bbcdc56f91bf80a69ee1fa94f5922361a905d4ffb175c439b6240223d7e6ab7ac3c008d995bdda5066944abb3352062c993bc8e500741d0786d214886a8c93a213f3f1c80956686f01a0092dca99d86d8179e256c995fa3d7741f1d30ceb9e4009ba04de8eb2ae64ba5f415fd84742365f7fa351b50ba1b3dca6dc1e738a896681eccfbb28b7f9d37f1ec3ca2a1d605f03998ab441f7d6b10219c4523ab293264320461c18a2f9cffdf9902420fbfc80c504f1036a599b91cbbe46f9104e93367dd9f6cafd83dca7270ec418725c84bae176b3d6fbe36168f23805b5d902180dec04d8a9d4d6bf9ca0ab9e209b1b788beb583f4baa112505b0be3d52b44389e362249e9244b233b118f5214a57e15484ba908ce7cdadc5000dba06503b81911167244e4e4858b099114c6ab477a1c722faec4d387d67a9b63b60778046cb8eb76bc566a23012d08eef8ec03db6ffb8eefb8374e90dacfae45649fae6261d8e69eb0667338999cbccf8661eb27e5b23e9664f3d85e023d30ac26fbf391f37812d71a524a3c8b00f1af78618b695fb3c2794e67fbe46dd543e43ff6567e89be677226b938cb0535655620fc28c8fcbb1d0bf38bc5bc86bf2cc0dd5a1b0467b9e355762baea4c7064722d31ad542e3ecf0d0eeff2d10bd3341abfe26569491d6de01f4a6e47e93ce790b6c41a2a85605491cf806e155931bf66f12fbe85afc7dfe81bc8be05ef7420731df2bec1a13e24aa38193bcbf6639ccefad9672bdb9b4c1997cf8eb37deb7c61070b9c30746d8dbda42b0224c31d32986c37782f00b63655a5ec100906bff62d89e0d030f692073bcab6b9c548a724d1bbac3e5f4c7a8af4570692ca3676ef63d3cb8c5fa48e4a93c8e4388b44fa4abe493fa397acb9e6fa3b71f6f27ca28bf2f99ab1895615137f085fd1cb8659022dad9328b5cc4dcee2534b685236676795d008533b3840c27f5d89e17320ec7651b1a8b99215456b73be09e388b08ca1d65ca0e67af35e503718e1d5bf774d8bd3301b6e71abdd186a9c4351de3d382e4c55851f4664843255f406658aa58569de9e727a7973041bedaedd9010c151d1808a1d6e5ecf2b1ea7706670e5f7eb3444449f6d85a7e3026452104ac0a4bcdc4ec5e37115f202a1baad6b2bd231ea85c50f17b537fe2c5c1cd15fe673af5c6eea2ed9ac8fabcf5fef36fd63dfe83e9e2bddebdac1de7daeddbc72af4ba0939a62c9484618e33774dfba207104d6bfb6427e4f16c424da9880cc4677615b8bf6ec4f42f5ba3d4d82e07b7eac52ff56bf7c573bcc4c5062d1b6f98e8aa817d899084a3975f84b802b3297937643f09e801936317eea17352621eced08eb94ec34496f95994be503ab9b9cc0d21c0285804ff6750923de8dc0fbfe51dc741b3d07ef30ce3e7c63439918f5a4bd75820ec6b61311cd9bbd475557fb827b9145fbeedff4878ff6a6e93b7121dd81a863d49506246ad6647dcdc4c0c0e72db2a316e0f1aa0281e93f9cbe4c15d7855f5b3699728ba350f4071268cb763f47ac69458453353eb83b92f5a93e4266de2a68e460113227bc16a6fcec80592aed3c0597ba2e401c90840d1a861fac9105a2e6c4824b81439e6b4f16efd1350eafeec0a8efbe17768ed89e2c9b6715c10570e9531b15f4dcba4d019531a506ce181bc71066b6161e48ff4a66d34365e67416a34c44819e49d8221e6e328de8f4f9bd68e961c3ea427266ec662557a86ca0267c721a91c006dd3bb4cc05b981bd376624caa0c3f78ad0fa8198a8eb94a1ef5a2182832788f2eb8d7e1432688bbced7d9b04443445b02056b55d2df164061946aac9767cc9690477863b4896caec5bcc89a16f771bcb76726fad0b52b2ccd3c31e253dc6331b5e96c7a2ae335ab444584b2d0a9907b6afbf14b55835aebfdb5e3eb34c17a511329f435bae878efecfddb7b9d1008ea7d5391c77438cd698f352507b76f5aeff12389800e4103a12a0b8022e49149d9b8ca5830f0caf114bd817a2493c09f0adeb71cf23d4fe00f7b3d6aeaff4d04c4e639855e1040e7dd36c295cc0cc9d2ed12e552e6eee9e87c038375569df51c1c26b740758df509fefdb836b4a0bf5bd8511b9261fa6649128ee190830898e46f4d7835c2a4a1bf3431d1d46196714a3f4fba3531645d4a2885941dcdb37dd3c7d409421243b6db0617a4abefd3e3466d942bd593a6be2d53e18163a11751da2b6a341cf2003f60be4d6b3b1246e7610db9a4d468ada681b60603bde72b6878ef877a98c9f21516916a02146ec0d50bf85e0c1128567eb6f22f226c4f6ef2dcdd1789e3ccfc022d68ff3c5353e6548e38839bfe8bc0c1cb2b0f33d6927a033c5741638972e6b48b3f9e7227685d76d344acf1162b22f294a51375294e52b669dfcc3f2bdcefb4da808dc9419b49d348253d7170f168559b8e6c629017551ddcc99498bd55f11198a39c89c4c856cc37024bc7889490bd6805ad00ccd7d72f725490d13c72c399cbf6801db592cb90daffe14e49bcb4214afc728cd756e5c5b4e83814cee0f8a53ca8c47efa4ea8c36ef5faf0adfd58da142503f5883bbd482f9923f44cc4f83d43aca4374b3e6370a4c51bfb1f19b19921c8a88d8bf1f055e0682bf3caa9d3275d3a32cfa6acca8d8af800b62dbd9ec0141b0b0c71ca22e6d3381c4824a42631f89823a6373eef26678cd19676df025058bb0b99ed81799964594870d4a41668fbeec0cf88d387a5107edfcc75f5d78115d37772e389ebb6a4dd42b57ccb2b4e54b24ac73c83e0b4197e3451aa51561ca4e82bb0ed0c26d3619415e86f90b662c3d8502509691cc8dfd583731284d22d3050a18fdd9562f2fb38d8cdf2121d22852bbf07bee03c17f5d768562ca779ab9e723fdabc1b333bf446610fb88aec7b0735ad46b54e3f74a36d2a6b355e685d1152f745f1af060adad923cd132639f118c5584c4c1fb1ee7b299ca230357ec04b83d4af62f29add85fe4471cb17ba754aece38430a70f4c537370ef21c81e16715174812ac0b64bf979791464485e056a8c54bced1297e5931517cfc89bcf790a203f6148652f3dbd9cdc8338fce664db363aeea37cdbdf2eab4dbd69d950f36925a27d1177431ec4b8e0aa445fb9f33226ea4495fcb7dd335d6018ff91366a1e89769ce4bf97a3879786faa2f5750bd5618ddaa4fee780476376abc77f75ee460413952dd1b7934e9944f0fc6fc2b31a376564848c5f6f689e555fc7d41ff442f573228f5ca0f7739ccbb870b41fefa59fdfa7ebd6be59afec591d2dd6a5af362b7625c9f7b5561471d1914cee5964aef65e3b18cc77f24eeda6fa7ad3d1838953524d50974eb3dfa05e8fdbf909a63f4beaaf6c2fefa91674f773077c525f83ebff9237e58b690d63cf79d3380b0fd0195997716a3dbab691d10a3048e1b215820279ba8b400797878e3bfa2aa79a4a237408c6904fc31c09d931f1fca1cb9f47f8941f1b1dc522ad4521a2bf8e3d68575955fb20cef451fc6f884719efa989bf6ca83d71d1804f1b22153a9ac55f281027614521a51a8ef2e5efb15e7720e5804b35d3d74efc9812e3d4b68da59de15c43fd878b6608522665cde68d04255639ba6d61993af08b7d190a95818393ead1c4b0ab8b0db4597e11c78a847945cf6ae5c587fbeae8810179ffe3f1c40d4b3e8fed767e6a1389a1d26d61304000000022941edaac3d218178eb2f32c85e6a5d67ef048a4e6920a61ecaa43653b14ddf5b6368fc726fd6e7a071673c6921a4592eaa83a215bfbc120c75a9d139d6ce75 C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "001800080F67B489" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3796 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3796 wrote to memory of 4140 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1808-57-0x0000000000170000-0x000000000017E000-memory.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1808-57-0x0000000000170000-0x000000000017E000-memory.dll,#1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4140 -ip 4140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 560

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 552 -p 3732 -ip 3732

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3732 -s 780

Network

Country Destination Domain Proto
US 204.79.197.203:443 tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 93.184.220.29:80 tcp

Files

N/A