bd48d2ca9fc8aa44bdee5fe564c15cb8fff88da0081cae06e6a3153ea599f48a | Triage

Analysis

max time kernel
46s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-09-2022 07:31

Sharing

Report Analysis Logs

General

Target

gozi.dll
Size

43KB
MD5

851e3931eb9af443aebe8abdb60f9469
SHA1

b13e1900449afbb908511dee343a14442a0fbbc1
SHA256

bd48d2ca9fc8aa44bdee5fe564c15cb8fff88da0081cae06e6a3153ea599f48a
SHA512

1241a219e8b616e65d57b6bc58398df2972b120ae243bc3f258936d2a6f431cfce18fe164cc573733bc390bf1bf0c433df07f7b4cf986f816edf43771a70e2e4
SSDEEP

768:ImQp7q0kzrdzjj+jVmXaKrOXNk4snxuZhTeOx1wl7gpQYPEub0c1B:INp7q0WV+pmKe890QeOxel7/YPEu0G

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 1448 wrote to memory of 1480	1448	rundll32.exe	27
PID 1448 wrote to memory of 1480	1448	rundll32.exe	27
PID 1448 wrote to memory of 1480	1448	rundll32.exe	27
PID 1448 wrote to memory of 1480	1448	rundll32.exe	27
PID 1448 wrote to memory of 1480	1448	rundll32.exe	27
PID 1448 wrote to memory of 1480	1448	rundll32.exe	27
PID 1448 wrote to memory of 1480	1448	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\gozi.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\gozi.dll,#1
  2⤵
  PID:1480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-54-0x0000000000000000-mapping.dmp

Download
memory/1480-55-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download