Overview

overview

10

Static

static

scongiurar...20.doc

windows7_x64

10

scongiurar...20.doc

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-12-2020 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    scongiurare.12.01.2020.doc

  • Size

    91KB

  • MD5

    9edc856edd53b45e9c6f84c2e65e1cc7

  • SHA1

    f16bd28f364c678054ea5c73651a668dfd68a5bc

  • SHA256

    4d1c37dac45daec5880750b8499b337e6ccf3696bfd645c4e22f388001e79900

  • SHA512

    1f268c6b48cf7b5771947f2803ffcf8a1156102f1be6c9305e9e18972c48fa68ad2b51ed7d9a3c723a0e48cfbb9b51daf74e9167692199e5027b04ff1c671c76

Score
10/10
gozi_ifsbbankertrojan

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 56 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\scongiurare.12.01.2020.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3940
  • C:\users\public\ms.com
    C:\users\public\ms.com C:\users\public\ms.html
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\temp.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Users\Admin\AppData\Local\Temp\temp.tmp
        3⤵
        • Loads dropped DLL
        PID:1644
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2964
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3796
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3796 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2236
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1512 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\temp.tmp
    MD5

    16718ff4efd5bfca6b4fa9eef5c52bd1

    SHA1

    f1ed1509f69e8058176e452f681cb8fa4f13dbae

    SHA256

    1df19585c4a549ab0086dfdcfe2b4f062922d0ed7b79e5e09f1398b31500f727

    SHA512

    cd9792d423cff5e2dec723df53e6630c22221989da13ca9261ed0616764d32ed1f90c65ce98249dfe53fa5262545321d2408114e094a5057b028563b821a9594

    Download Submit
  • C:\Users\Public\ms.com
    MD5

    98447a7f26ee9dac6b806924d6e21c90

    SHA1

    a67909346a56289b7087821437efcaa51da3b083

    SHA256

    c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

    SHA512

    c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

    Download Submit
  • C:\users\public\ms.com
    MD5

    98447a7f26ee9dac6b806924d6e21c90

    SHA1

    a67909346a56289b7087821437efcaa51da3b083

    SHA256

    c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

    SHA512

    c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

    Download Submit
  • C:\users\public\ms.html
    MD5

    c95ad501989d92e932c8b38d52955a9c

    SHA1

    19223f16652ae22baca91cb4030e7f81aa3efff1

    SHA256

    37ed664d7ba10c77315d7190e5b335e4ca4c46bc7255b76314ad7ab694db6ae0

    SHA512

    13bd20b2b890c8a03e4064da2dbe799f66c8d4fa43b0eb33b6b552155e123c2d39faff4834b4078d8b732f7ba69a8ab338924cf908d55fd5007d630641cb5c85

    Download Submit
  • \Users\Admin\AppData\Local\Temp\temp.tmp
    MD5

    16718ff4efd5bfca6b4fa9eef5c52bd1

    SHA1

    f1ed1509f69e8058176e452f681cb8fa4f13dbae

    SHA256

    1df19585c4a549ab0086dfdcfe2b4f062922d0ed7b79e5e09f1398b31500f727

    SHA512

    cd9792d423cff5e2dec723df53e6630c22221989da13ca9261ed0616764d32ed1f90c65ce98249dfe53fa5262545321d2408114e094a5057b028563b821a9594

    Download Submit
  • memory/1644-13-0x0000000000000000-mapping.dmp
    Download
  • memory/2236-16-0x0000000000000000-mapping.dmp
    Download
  • memory/2964-15-0x0000000000000000-mapping.dmp
    Download
  • memory/3484-17-0x0000000000000000-mapping.dmp
    Download
  • memory/3768-11-0x0000000000000000-mapping.dmp
    Download
  • memory/3940-2-0x00000245313D0000-0x0000024531A07000-memory.dmp
    Filesize

    6.2MB

    Download