Overview

overview

10

Static

static

ordinare_1...20.doc

windows7_x64

8

ordinare_1...20.doc

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-12-2020 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ordinare_12.01.2020.doc

  • Size

    91KB

  • MD5

    5cebb6813b6717852b51bb82235bf5a6

  • SHA1

    6c465ea7366e478013f1581a2e4a57675b767f0d

  • SHA256

    a861f29a0b1f6cc24f3090bb4260cb9388466326e9d320db378f3bdc08e7c267

  • SHA512

    d174ee80939b84a89e69f1912ee835cfa10b9e7c79613264cc862717c27c137a861d40b7f2ddcaf90804146370c8d68b596f536434ce09035bcf1ff65c3c8342

Score
10/10
gozi_ifsbbankertrojan

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ordinare_12.01.2020.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4768
  • C:\users\public\ms.com
    C:\users\public\ms.com C:\users\public\ms.html
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3236
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\temp.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Users\Admin\AppData\Local\Temp\temp.tmp
        3⤵
        • Loads dropped DLL
        PID:4504
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4372
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4732
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4628 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\temp.tmp
    MD5

    5ef10b7334c3ed9f0c905339f5aa1b46

    SHA1

    2a3870cf287b9d24f1a9112955308eece5cdcc03

    SHA256

    4457d83321c2ff730f7ed316daff71b37b4ba420bf2f6af3bc9551b627ff1469

    SHA512

    22b05b19f5f5c25b6bd3f0d7c824381f194cf4e3e35fbe04601c50bf5f4c58e89524347f69230df7e669b5afc6d8370bbcb3b40def3033388a2956a67956c18e

    Download Submit
  • C:\Users\Public\ms.com
    MD5

    98447a7f26ee9dac6b806924d6e21c90

    SHA1

    a67909346a56289b7087821437efcaa51da3b083

    SHA256

    c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

    SHA512

    c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

    Download Submit
  • C:\users\public\ms.com
    MD5

    98447a7f26ee9dac6b806924d6e21c90

    SHA1

    a67909346a56289b7087821437efcaa51da3b083

    SHA256

    c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

    SHA512

    c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

    Download Submit
  • C:\users\public\ms.html
    MD5

    7f908f1ee0bbb0b276589f06368a008d

    SHA1

    ee9d0fa4c45aeb9c75750aa003e7c0f0f22e348d

    SHA256

    8b23a9189fd2fe4cc89459224ed36e7a64121de9589d3ac9ceae9e4deef7f23a

    SHA512

    3fbebbcd1b5f2a731470037a702ba58eefbc0764874d465539e90b6fcd4ba16e93221e8eb402bf2d3b603a6b4d81e3b1a2e68ea3625a93716f4ef991fa625633

    Download Submit
  • \Users\Admin\AppData\Local\Temp\temp.tmp
    MD5

    5ef10b7334c3ed9f0c905339f5aa1b46

    SHA1

    2a3870cf287b9d24f1a9112955308eece5cdcc03

    SHA256

    4457d83321c2ff730f7ed316daff71b37b4ba420bf2f6af3bc9551b627ff1469

    SHA512

    22b05b19f5f5c25b6bd3f0d7c824381f194cf4e3e35fbe04601c50bf5f4c58e89524347f69230df7e669b5afc6d8370bbcb3b40def3033388a2956a67956c18e

    Download Submit
  • memory/3660-17-0x0000000000000000-mapping.dmp
    Download
  • memory/4372-15-0x0000000000000000-mapping.dmp
    Download
  • memory/4476-11-0x0000000000000000-mapping.dmp
    Download
  • memory/4504-13-0x0000000000000000-mapping.dmp
    Download
  • memory/4732-16-0x0000000000000000-mapping.dmp
    Download
  • memory/4768-7-0x000001732C410000-0x000001732C420000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4768-6-0x000001732C3E0000-0x000001732C3E5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/4768-4-0x000001732C3D7000-0x000001732C3E0000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4768-5-0x000001732C3D7000-0x000001732C3E0000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4768-3-0x000001732A43A000-0x000001732A44D000-memory.dmp
    Filesize

    76KB

    Download
  • memory/4768-2-0x0000017320AE0000-0x0000017321117000-memory.dmp
    Filesize

    6.2MB

    Download