Overview

overview

10

Static

static

documenti-12.20.doc

windows7_x64

10

documenti-12.20.doc

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-12-2020 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    documenti-12.20.doc

  • Size

    92KB

  • MD5

    53915ecbd649a6008ae69c0dcacf591b

  • SHA1

    2711d278e9cf36c4924a69659157d4e7b3b05e06

  • SHA256

    0cdb011bfac8731aa990d921e6a4748a4ec75ec6e62e0f6d0da2c03d00955886

  • SHA512

    d67e429e6f00d60deefe1abb3f13b240dd020b486a09c136e0c0c8ebf1c5802d87c4bb0fc26248de1e069b6c007a6921dc6d3a78d72789b0eecfb078a96b5556

Score
10/10
gozi_ifsbbankertrojan

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\documenti-12.20.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:636
  • C:\users\public\ms.com
    C:\users\public\ms.com C:\users\public\ms.html
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\temp.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Users\Admin\AppData\Local\Temp\temp.tmp
        3⤵
        • Loads dropped DLL
        PID:2148
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:200
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:200 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:684
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:368
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:368 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:912
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\temp.tmp
    MD5

    a7c80246b4dbe1085b435c505a1c6bd1

    SHA1

    a156ffca06b7f42e57bfcecadd1342adcdb44a5d

    SHA256

    eb3d0ac3165028922860c3e8e61e051faed8bf9d884ac96a8a493312aa88fe31

    SHA512

    a1fab85125bfc3c9a26c5df9a303b6fcc0cb338411b4a63a4838523b78e69052c371cac0b6292451a496426f72b605970df5421acd1b6ce98b1638766fcaee5b

    Download Submit
  • C:\Users\Public\ms.com
    MD5

    98447a7f26ee9dac6b806924d6e21c90

    SHA1

    a67909346a56289b7087821437efcaa51da3b083

    SHA256

    c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

    SHA512

    c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

    Download Submit
  • C:\users\public\ms.com
    MD5

    98447a7f26ee9dac6b806924d6e21c90

    SHA1

    a67909346a56289b7087821437efcaa51da3b083

    SHA256

    c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

    SHA512

    c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

    Download Submit
  • C:\users\public\ms.html
    MD5

    3d4c1e100159158e91a1d06c6821a7cc

    SHA1

    cdc3b2a3280c6f7e8a201cb485e85222d15bd2ed

    SHA256

    042b36a012b50fd8073f3d47670dba0cefe36b71a909f6cfdc66b2c5ef4fcdb2

    SHA512

    5adf16e5bb68a114ff66a26b4a5282698968ac2ca51bb0569982408c31bd20801a8693dc8abc01d0b3f10dbf41a7f52eccb3a7911bd98ddc7098be4b707c5af9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\temp.tmp
    MD5

    a7c80246b4dbe1085b435c505a1c6bd1

    SHA1

    a156ffca06b7f42e57bfcecadd1342adcdb44a5d

    SHA256

    eb3d0ac3165028922860c3e8e61e051faed8bf9d884ac96a8a493312aa88fe31

    SHA512

    a1fab85125bfc3c9a26c5df9a303b6fcc0cb338411b4a63a4838523b78e69052c371cac0b6292451a496426f72b605970df5421acd1b6ce98b1638766fcaee5b

    Download Submit
  • memory/636-6-0x00000255AAB22000-0x00000255AAB2F000-memory.dmp
    Filesize

    52KB

    Download
  • memory/636-2-0x00007FF9FCB20000-0x00007FF9FD157000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/636-5-0x00000255AAB22000-0x00000255AAB2F000-memory.dmp
    Filesize

    52KB

    Download
  • memory/636-4-0x00000255AAB22000-0x00000255AAB2F000-memory.dmp
    Filesize

    52KB

    Download
  • memory/684-14-0x0000000000000000-mapping.dmp
    Download
  • memory/860-16-0x0000000000000000-mapping.dmp
    Download
  • memory/912-15-0x0000000000000000-mapping.dmp
    Download
  • memory/1304-10-0x0000000000000000-mapping.dmp
    Download
  • memory/2148-12-0x0000000000000000-mapping.dmp
    Download