Malware Analysis Report

2025-08-05 13:07

Sample ID 220323-csrcmadhg4
Target 1652-56-0x0000000000160000-0x000000000016E000-memory.dmp
SHA256 40a78495d842f1f74502318cebe8cc5551a80b7d1f947b6ddba2b27e839eaed0
Tags
7626 gozi_ifsb
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40a78495d842f1f74502318cebe8cc5551a80b7d1f947b6ddba2b27e839eaed0

Threat Level: Known bad

The file 1652-56-0x0000000000160000-0x000000000016E000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

7626 gozi_ifsb

Gozi_ifsb family

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-03-23 02:20

Signatures

Gozi_ifsb family

gozi_ifsb

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-23 02:20

Reported

2022-03-23 02:23

Platform

win7-20220311-en

Max time kernel

4294179s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1652-56-0x0000000000160000-0x000000000016E000-memory.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 1104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 1104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 1104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 1104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 1104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 1104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 1104 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1652-56-0x0000000000160000-0x000000000016E000-memory.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1652-56-0x0000000000160000-0x000000000016E000-memory.dll,#1

Network

N/A

Files

memory/1104-54-0x0000000000000000-mapping.dmp

memory/1104-55-0x0000000074F31000-0x0000000074F33000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-23 02:20

Reported

2022-03-23 02:23

Platform

win10v2004-20220310-en

Max time kernel

125s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1652-56-0x0000000000160000-0x000000000016E000-memory.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4332 wrote to memory of 892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4332 wrote to memory of 892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4332 wrote to memory of 892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1652-56-0x0000000000160000-0x000000000016E000-memory.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1652-56-0x0000000000160000-0x000000000016E000-memory.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 892 -ip 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 560

Network

Country Destination Domain Proto
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp
US 20.96.63.25:443 licensing.mp.microsoft.com tcp

Files

memory/892-134-0x0000000000000000-mapping.dmp