gozi_ifsb | 24b030711a69d5121a177ab5a4d8a27849b763f8bdbd8a37c1346f716c4c221e

General

Target

info-12.20.doc
Size

144KB
MD5

eb89b281323cbba25c8c1080cf2f62ff
SHA1

a3d5cab21da7d69f80c3fc62a16cee52e3398846
SHA256

24b030711a69d5121a177ab5a4d8a27849b763f8bdbd8a37c1346f716c4c221e
SHA512

817c131568474240f0139d688ff362fcf406b189bb6537028005dc0952597e4d9db612677f82f9593eff00053583f9017e2bfcb4545a01a83a5d4f9d8d4b8c8f

Score

10^/10

gozi_ifsb banker trojan

Malware Config

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1556	1656	regsvr32.exe	WINWORD.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1556 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
1556	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 68 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b66000000000200000000001066000000010000200000003f229c70557f7fa9c53e298cc2e361c5b6639df323ccb20e6971e51008beac3e000000000e80000000020000200000009793aae9be678366101d894a290afc3e0187cf9557cf27a72c08aea2c05f8e1720000000a4b63df87be2adbd2107632bdb19bd1dd23e3a144cccd2e86d56876c6921f2584000000084ace321c076bcfa63bd5ca80fe73861931a23324ef7134bdac32cfddbcb1324fbacd013057bb98505bf900c376b1ddfb0088b1f53955c44a8531c1595c56bc9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CA4D2EA1-3570-11EB-BFDD-F65A7312C48E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{95B5CDA1-3570-11EB-BFDD-F65A7312C48E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "313769298"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805c1e867dc9d601	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000033044fc40189d459fe40d0e3dcc9b6600000000020000000000106600000001000020000000d467d5f52edf48ac97f697d5b9692d3d97d156c260ba8103268d66ddb5c982ad000000000e80000000020000200000006efcbd923caf0528e93a09088493ef5510029687211581981546526732cbf3709000000088c01f773a385c69a365385c64a2af676749eea2ea6dc731cb42203e7291bc757e5c55bd7cb1a71e9886f9714d85ea2e1b2d4b0038dc4aad369bff9ec4c9ddd323bd1fee03dd74dd05514051aa8bf162d1bbad4de80180549a3a3ca23cebbce868e1e1d75ec3261f8f3db34d5b800dc5614f6f597fa30568f48c9265f27c862cd739cacc1e460f55733e46433a959cb640000000e50481e60ca46dd56ade89e35bdf0e6dd833ecbc5a049ea621b2e7b174ee7d126ae48e15bd667d1e8501375f4891c1e35cb7258d4ab0f34384ae00cf1cef660d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1656 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

912 iexplore.exe
820 iexplore.exe

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
912	iexplore.exe
820	iexplore.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

WINWORD.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
1656	WINWORD.EXE
912	iexplore.exe
912	iexplore.exe
576	IEXPLORE.EXE
576	IEXPLORE.EXE
820	iexplore.exe
820	iexplore.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WINWORD.EXEiexplore.exeiexplore.exe

description	pid	process	target process
PID 1656 wrote to memory of 1556	1656	WINWORD.EXE	regsvr32.exe
PID 1656 wrote to memory of 1556	1656	WINWORD.EXE	regsvr32.exe
PID 1656 wrote to memory of 1556	1656	WINWORD.EXE	regsvr32.exe
PID 1656 wrote to memory of 1556	1656	WINWORD.EXE	regsvr32.exe
PID 1656 wrote to memory of 1556	1656	WINWORD.EXE	regsvr32.exe
PID 1656 wrote to memory of 1556	1656	WINWORD.EXE	regsvr32.exe
PID 1656 wrote to memory of 1556	1656	WINWORD.EXE	regsvr32.exe
PID 1656 wrote to memory of 1504	1656	WINWORD.EXE	splwow64.exe
PID 1656 wrote to memory of 1504	1656	WINWORD.EXE	splwow64.exe
PID 1656 wrote to memory of 1504	1656	WINWORD.EXE	splwow64.exe
PID 1656 wrote to memory of 1504	1656	WINWORD.EXE	splwow64.exe
PID 912 wrote to memory of 576	912	iexplore.exe	IEXPLORE.EXE
PID 912 wrote to memory of 576	912	iexplore.exe	IEXPLORE.EXE
PID 912 wrote to memory of 576	912	iexplore.exe	IEXPLORE.EXE
PID 912 wrote to memory of 576	912	iexplore.exe	IEXPLORE.EXE
PID 820 wrote to memory of 1692	820	iexplore.exe	IEXPLORE.EXE
PID 820 wrote to memory of 1692	820	iexplore.exe	IEXPLORE.EXE
PID 820 wrote to memory of 1692	820	iexplore.exe	IEXPLORE.EXE
PID 820 wrote to memory of 1692	820	iexplore.exe	IEXPLORE.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\info-12.20.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\programdata\RrKki.pdf
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:1556

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1504

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:912 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:820

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:820 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\programdata\RrKki.pdf
MD5
2b8e31cc34b23a1fa8768fc8e088e5aa

SHA1
ba51f9f5ae3aac40a69309c6f9b77064423f02a0

SHA256
5348c314afb52079c6c35643e8a749c2d51c5447c78f7e28251b0cca4de6797a

SHA512
740c368dde35703b8782261e42bbf3b57e0b05f9c51a2a72010d484cdbbe5c7a36826b37b5189e4c36437f541e3282aa0c071192f7ce4ac8ee4873a5b79fa8fa

Download Submit
\ProgramData\RrKki.pdf
MD5
2b8e31cc34b23a1fa8768fc8e088e5aa

SHA1
ba51f9f5ae3aac40a69309c6f9b77064423f02a0

SHA256
5348c314afb52079c6c35643e8a749c2d51c5447c78f7e28251b0cca4de6797a

SHA512
740c368dde35703b8782261e42bbf3b57e0b05f9c51a2a72010d484cdbbe5c7a36826b37b5189e4c36437f541e3282aa0c071192f7ce4ac8ee4873a5b79fa8fa

Download Submit
memory/576-10-0x0000000000000000-mapping.dmp

Download
memory/576-11-0x00000000063E0000-0x0000000006403000-memory.dmp

Filesize
140KB

Download
memory/752-9-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmp

Filesize
2.5MB

Download
memory/1504-8-0x0000000000000000-mapping.dmp

Download
memory/1556-5-0x0000000000000000-mapping.dmp

Download
memory/1656-2-0x0000000000681000-0x0000000000684000-memory.dmp

Filesize
12KB

Download
memory/1656-4-0x0000000000605000-0x0000000000609000-memory.dmp

Filesize
16KB

Download
memory/1656-3-0x0000000000605000-0x0000000000609000-memory.dmp

Filesize
16KB

Download
memory/1692-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads