Overview

overview

10

Static

static

ordine.12.20.doc

windows7_x64

10

ordine.12.20.doc

windows10_x64

8

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03-12-2020 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ordine.12.20.doc

  • Size

    91KB

  • MD5

    d877528f01cafe6d9401c89e4c4799a5

  • SHA1

    10836e28ae5184ae004c3b60159c2e994832c90c

  • SHA256

    9a752f4b373e32ef86ead4516cceb238bdef9519191922abf5141261b13c38f3

  • SHA512

    c33b67bebe288ed9718f6485fb0ac3a46bdcaf0726bf37b378b1ed8920450cabc22b7cd57b3a6dc6f9daeedca6929e899f4b49969d674ed865211dd121a02bc4

Score
10/10
gozi_ifsbbankertrojan

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 69 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ordine.12.20.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:660
    • C:\users\public\ms.com
      C:\users\public\ms.com C:\users\public\ms.html
      1⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\temp.tmp
        2⤵
        • Loads dropped DLL
        PID:1580
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1884
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1612

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\temp.tmp
      MD5

      e4fd73c229bb68127e4dd2e5d5f7cb31

      SHA1

      08b75e4c422c096e4f4b7dc44252b7dd001513e1

      SHA256

      db4df8d6e29ec29a7cf09512f1b7825ae7e6daa1b02d03e67d743e1e9e0eb3e3

      SHA512

      1e679c858b27dad6116aca0b71809dae3c2706fb7e5a976b94ab49c36f7c11debfa7416e5c20dae2470c5898f1b51e8bf9b054a08de87850cb9bbcd36446065c

      Download Submit
    • C:\Users\Public\ms.com
      MD5

      abdfc692d9fe43e2ba8fe6cb5a8cb95a

      SHA1

      d4f0397f83083e1c6fb0894187cc72aebcf2f34f

      SHA256

      949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820

      SHA512

      c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f

      Download Submit
    • C:\users\public\ms.com
      MD5

      abdfc692d9fe43e2ba8fe6cb5a8cb95a

      SHA1

      d4f0397f83083e1c6fb0894187cc72aebcf2f34f

      SHA256

      949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820

      SHA512

      c786bfb6a2316e43cb89901fae103157ec6b65117c292dc7570dd4685891b5afbb72064789b74bf55fe012c5936ed6468876e4d2cccdeff71b4abb2d76ff395f

      Download Submit
    • C:\users\public\ms.html
      MD5

      f92fb6fe7f0536a53a813177585dcfee

      SHA1

      855b96cd27e0eb6f0bdff03242a7375fde19d3d7

      SHA256

      f2855229bb557b3abfc20e95e879c1cd4c0102fbd9fecd7c2cbfbe6cf5be3f30

      SHA512

      94f766077d27d8c04d69dcdabea02a01b8b396a0cefb1f5d81aa9f9baba6b03b3134dd822c6fe48839f7c8a944131f107cfbb5962bd242a922937ce884ccebd6

      Download Submit
    • \Users\Admin\AppData\Local\Temp\temp.tmp
      MD5

      e4fd73c229bb68127e4dd2e5d5f7cb31

      SHA1

      08b75e4c422c096e4f4b7dc44252b7dd001513e1

      SHA256

      db4df8d6e29ec29a7cf09512f1b7825ae7e6daa1b02d03e67d743e1e9e0eb3e3

      SHA512

      1e679c858b27dad6116aca0b71809dae3c2706fb7e5a976b94ab49c36f7c11debfa7416e5c20dae2470c5898f1b51e8bf9b054a08de87850cb9bbcd36446065c

      Download Submit
    • memory/660-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1004-10-0x000007FEF7140000-0x000007FEF73BA000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1204-6-0x0000000004B20000-0x0000000004B85000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1204-2-0x000000000089C000-0x000000000089F000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1204-5-0x0000000004B20000-0x0000000004B85000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1204-4-0x0000000004B20000-0x0000000004B85000-memory.dmp
      Filesize

      404KB

      Download
    • memory/1204-3-0x0000000000887000-0x0000000000890000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1204-15-0x00000000004E0000-0x00000000004E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1580-12-0x0000000000000000-mapping.dmp
      Download
    • memory/1612-18-0x0000000000000000-mapping.dmp
      Download
    • memory/1884-16-0x0000000000000000-mapping.dmp
      Download
    • memory/1884-17-0x0000000006170000-0x0000000006193000-memory.dmp
      Filesize

      140KB

      Download