efc5d6924a586e8bc30d4a48029f0cec29c493bcf76d0126ce74b7f963d7c9bf | Triage

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 13:52

Sharing

Report Analysis Logs

General

Target

gozi.dll
Size

43KB
MD5

b9e34211a2d4bf5525ad9ccb7d9224da
SHA1

f16e2a7778ac008a4a557b5999492d46f4a90247
SHA256

efc5d6924a586e8bc30d4a48029f0cec29c493bcf76d0126ce74b7f963d7c9bf
SHA512

abd1dc24fe17fdf629c85031b5f341d82fb17f291847d23bdfc35620cb2e825bbba6658efba9d1fd66f29d2a095bb7bffe556fe1d25d9cc2a0f63c9dd1764b67
SSDEEP

768:PTmE+L5AkTXKMaqD4leJiArJBFkK527nhoZ3eGiTb7gp6XFlkq9k:PTmE+L5AkTixchBOKinCZ3eGGb7dTR9k

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 1896 wrote to memory of 2044	1896	rundll32.exe	27
PID 1896 wrote to memory of 2044	1896	rundll32.exe	27
PID 1896 wrote to memory of 2044	1896	rundll32.exe	27
PID 1896 wrote to memory of 2044	1896	rundll32.exe	27
PID 1896 wrote to memory of 2044	1896	rundll32.exe	27
PID 1896 wrote to memory of 2044	1896	rundll32.exe	27
PID 1896 wrote to memory of 2044	1896	rundll32.exe	27

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\gozi.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\gozi.dll,#1
  2⤵
  PID:2044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2044-54-0x0000000000000000-mapping.dmp

Download
memory/2044-55-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download