Analysis Overview
SHA256
93ba5e117699976d0df8512ca37262af3dbb68897fc50167bacef1930c64816f
Threat Level: Known bad
The file 00000001.dll was found to be: Known bad.
Malicious Activity Summary
Gozi, Gozi IFSB
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-03-23 16:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-23 16:42
Reported
2022-03-23 16:45
Platform
win7-20220311-en
Max time kernel
4294211s
Max time network
134s
Command Line
Signatures
Gozi, Gozi IFSB
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1800 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1800 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1800 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1800 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1800 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1800 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1800 wrote to memory of 1808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\00000001.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\00000001.dll,#1
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
Network
Files
memory/1808-54-0x0000000000000000-mapping.dmp
memory/1808-55-0x0000000075081000-0x0000000075083000-memory.dmp
memory/1808-56-0x0000000000240000-0x00000000002D0000-memory.dmp
memory/1808-59-0x0000000000240000-0x00000000002D0000-memory.dmp
memory/1808-58-0x0000000000240000-0x000000000024D000-memory.dmp
memory/1808-60-0x0000000000240000-0x00000000002D0000-memory.dmp
memory/1160-61-0x000007FEFB551000-0x000007FEFB553000-memory.dmp