Analysis Overview
SHA256
40a78495d842f1f74502318cebe8cc5551a80b7d1f947b6ddba2b27e839eaed0
Threat Level: Known bad
The file 1652-56-0x0000000000160000-0x000000000016E000-memory.dmp was found to be: Known bad.
Malicious Activity Summary
Gozi_ifsb family
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-03-23 02:20
Signatures
Gozi_ifsb family
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-23 02:20
Reported
2022-03-23 02:23
Platform
win7-20220311-en
Max time kernel
4294179s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1956 wrote to memory of 1104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1956 wrote to memory of 1104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1956 wrote to memory of 1104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1956 wrote to memory of 1104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1956 wrote to memory of 1104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1956 wrote to memory of 1104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1956 wrote to memory of 1104 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1652-56-0x0000000000160000-0x000000000016E000-memory.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1652-56-0x0000000000160000-0x000000000016E000-memory.dll,#1
Network
Files
memory/1104-54-0x0000000000000000-mapping.dmp
memory/1104-55-0x0000000074F31000-0x0000000074F33000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-23 02:20
Reported
2022-03-23 02:23
Platform
win10v2004-20220310-en
Max time kernel
125s
Max time network
135s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4332 wrote to memory of 892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4332 wrote to memory of 892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4332 wrote to memory of 892 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1652-56-0x0000000000160000-0x000000000016E000-memory.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1652-56-0x0000000000160000-0x000000000016E000-memory.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 892 -ip 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 560
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
| US | 20.96.63.25:443 | licensing.mp.microsoft.com | tcp |
Files
memory/892-134-0x0000000000000000-mapping.dmp