Overview

overview

10

Static

static

8

book-AUY70...21.xls

windows7_x64

10

book-AUY70...21.xls

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-02-2021 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    book-AUY70-04022021.xls

  • Size

    139KB

  • MD5

    6bc6146cc33968b9b1f1ea29a65f28aa

  • SHA1

    e681ce7f9b6a16c9926817c18365ba3610366da4

  • SHA256

    8162e0799dc6887d63119af7836399684041e981d8e1cc48d0bf852dc785d8ce

  • SHA512

    0e8fe206306c1fa2f5f27a9df172d8c8f6667eb67cb2ac58a0e9d2c928ba3725d1d3c857449a66b1f1f6154a8240a4234b95a61fd451a17c41dbe077874f5fa1

Score
10/10
gozi_rm3201193207bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

201193207

C2

https://topitophug.xyz

Attributes
  • build

    300932

  • exe_type

    loader

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 78 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\book-AUY70-04022021.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 C:\nuewi\neiq.auw,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 C:\nuewi\neiq.auw,DllRegisterServer
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:3936
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:500
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:500 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2104
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1172 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3700
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3768 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\61F95D72644321B3AD7A1D512B8D6E8B
    MD5

    9bc7c66842ce55fb615785434a1e4ae2

    SHA1

    0841bba8f45cc927201dab1668d7de43c808f3a8

    SHA256

    cdf81a744d87fcc80a9593edceb9103d9eb19ee8023da16b26c17844ffa88eaa

    SHA512

    e85136f1da80428111ce2f626f6e90dff88d11f2de62f461d292104f2807b08ae2c625397d6c889544566c15cd772e1ed45b2fa18d89489140d59b6bb7fc9eba

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
    MD5

    0cb6aff7f00ffdce23877e0fd80f88d5

    SHA1

    7cb46bde95f4e57c108100dff3786dc9d6169389

    SHA256

    fb6bd4558196dad5d2767534f435159f7ce7d69f8e0bb21d73af02b8778f5ad0

    SHA512

    04bfc5e5430709750613273778c7fc3a5d9eedc618fc60b6db2a55247c3a30609fbb0758f8923e3a84984ecae4903e68ee165f3c8515b8e922b70dceb9f402b2

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\61F95D72644321B3AD7A1D512B8D6E8B
    MD5

    d55e899bd240fe3c7b5d87896f49b65f

    SHA1

    1875aedaa20c97830318e3242d58daba7bf3be42

    SHA256

    76d741f3b3f48620573defb00a2efaf359dcdad9bd99d71a4794cc30641bd234

    SHA512

    dde6404860b128a79aecd939f7e96f2c89a259e7218719d28a46156e7c9059c56a6588691041ac2a1c43ee2b10ee4b974b5e2723104e2fe5f131810788ab19bc

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
    MD5

    f56a4ce0df4021db843d755d084a9caf

    SHA1

    18f07ebd80ebc3d3e1053309189f720949e8725b

    SHA256

    a9310ba87526ce98612bf9a1257434ca4bfdb322650a8c8a6b5f7c27858ee19e

    SHA512

    ce482edf1a79dc0f322662d178e6ce838a1a8ddecc556a4bb785a85dc90e907a7253530159d2434730e2019517b92665725c11b0924d8ac848cdd3a0a59cabcc

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\YVNESD2A.cookie
    MD5

    6ce796afe36f43246736b06da032bac3

    SHA1

    21591bf89e3a4a7ff305a81f0b67dc8f7272fea7

    SHA256

    c74f486c9be9d56877f8e11fc3378307955dca271393aa86a5bcfb12cc0da37d

    SHA512

    ec69b9b30f77990fcefc5145721872fb2c88e85e4421d1a83a43d7bacf3b26c71ef76c932b3ff50746a23ed2c32d877f39c4f87d36450ee2bde74ed1f207b751

    Download Submit
  • C:\nuewi\neiq.auw
    MD5

    d31c0491f522d6b9f2102109bd2420af

    SHA1

    dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708

    SHA256

    f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f

    SHA512

    48d659660654800da4eb3909a06572dfcf5f05ebdfb8629fafdfeab601673e3377d9a3a241f4bd36c3f4f912ac838dbc73926f734bfa8a76ec43fa726b28c3bd

    Download Submit
  • \nuewi\neiq.auw
    MD5

    d31c0491f522d6b9f2102109bd2420af

    SHA1

    dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708

    SHA256

    f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f

    SHA512

    48d659660654800da4eb3909a06572dfcf5f05ebdfb8629fafdfeab601673e3377d9a3a241f4bd36c3f4f912ac838dbc73926f734bfa8a76ec43fa726b28c3bd

    Download Submit
  • memory/540-6-0x00007FF9A7230000-0x00007FF9A7867000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/540-2-0x00007FF983B50000-0x00007FF983B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/540-5-0x00007FF983B50000-0x00007FF983B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/540-4-0x00007FF983B50000-0x00007FF983B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/540-3-0x00007FF983B50000-0x00007FF983B60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1528-22-0x0000000000000000-mapping.dmp
    Download
  • memory/2104-15-0x0000000000000000-mapping.dmp
    Download
  • memory/3700-17-0x0000000000000000-mapping.dmp
    Download
  • memory/3936-12-0x00000000045F0000-0x0000000004602000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3936-14-0x0000000002EB0000-0x0000000002EC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3936-13-0x0000000002E90000-0x0000000002E9E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3936-11-0x0000000000870000-0x0000000000871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3936-9-0x0000000000000000-mapping.dmp
    Download
  • memory/4028-7-0x0000000000000000-mapping.dmp
    Download