Overview

overview

10

Static

static

selected-jobs.xls

windows7_x64

10

selected-jobs.xls

windows10_x64

10

Resubmissions

19-04-2021 09:51

210419-vsfnbxzjyn 10

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    19-04-2021 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    selected-jobs.xls

  • Size

    1.9MB

  • MD5

    4ab1efff60052e63eaace56a29413b62

  • SHA1

    6e574a62a5ca46e5e2a8c3861feb3a4ef0b6e866

  • SHA256

    eb6f84aa58fd61f76d3920f777607b242bb2fc132f6dbd7a84fdb7452f6a9605

  • SHA512

    a699e34d720e70e1168e83ffcfbb5d1743bb9bbae34658fbb921d93186e49032eb0eb8fa8b7be28d6b57e9c4338c05f21036bdaac81f67bcea03ddb68c3a9055

Score
10/10
gozi_rm3210306bankertrojan

Malware Config

Extracted

Family

gozi_rm3

Botnet

210306

C2

https://getroad.xyz

Attributes
  • build

    300960

  • exe_type

    loader

  • non_target_locale

    RU

  • server_id

    12

  • url_path

    index.htm

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 36 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\selected-jobs.xls"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 ..\ismvxl.woc,DllRegisterServer
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 ..\ismvxl.woc,DllRegisterServer
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:1808
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3156
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2272
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2844 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:188
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2232 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3076
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2560 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2628
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:492

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
    MD5

    d1b1f562e42dd37c408c0a3c7ccfe189

    SHA1

    c01e61a5c5f44fb038228b7e542f6a8d7c8c283d

    SHA256

    7f468f04fe5a1b0616685f157a4285090b6ed3858d4cd9efe915aaeed83c158e

    SHA512

    404d279fabd4886008e47e9138f799cf398f0aa4c8556192d6e45dbcde99eac2cd65c47b9e0b88bd6d3a6529818f6048a23a197a913fb917b19dffbbd5d75850

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
    MD5

    83225bcb7c7cd66c9f4b5a784b73e182

    SHA1

    e5fec26150bf6aa4ff3539224d940501fa83b85d

    SHA256

    b7eb6b6a19733728b03e818ab60d91a4de11de48230ce5d6a612e2cd5622bc1d

    SHA512

    b6259517e4695d2fad580453789718406a2d0e52db1eeb8dc9377b67dc537d2956648f58b9d55a82aeec08f3d817848113f2266cc5fd5e6b62ab509cf44a4901

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml
    MD5

    143c3e0f050b28abe67d081571648ec5

    SHA1

    a863987ea723b796d5e68580968766c7a95666ba

    SHA256

    e4b0d2df86d0642ffa17dfce013f25ec6ea8ea04057f2522eea2ae16ecb3e683

    SHA512

    e036d2542104927c81a5420fe8bf3931c41c3eb5f97ee13e3a9dda444301aba6eb54de2273f5d0a053099f2b5212a1f90e51d95d145adbaf1d9b220809f57a9f

    Download Submit

  • C:\Users\Admin\ismvxl.woc
    MD5

    5a52b1494c7929a2ef4d2e6d485358e8

    SHA1

    a78dbd06aef4815e272f476695989706a5432e8d

    SHA256

    e4fdba0b24b4184ddafe6add29b6d3415e26422e3752a81d049cb888791aabf3

    SHA512

    d9d76e7ef16394af4576f187cab4fc5e6653c62c4bb092a76a4c0cc4d9209f31b13eeed3533d5e13c969bc7cc7fcd436867cca345fd3677f953f488a91b0eb25

    Download Submit

  • \Users\Admin\ismvxl.woc
    MD5

    5a52b1494c7929a2ef4d2e6d485358e8

    SHA1

    a78dbd06aef4815e272f476695989706a5432e8d

    SHA256

    e4fdba0b24b4184ddafe6add29b6d3415e26422e3752a81d049cb888791aabf3

    SHA512

    d9d76e7ef16394af4576f187cab4fc5e6653c62c4bb092a76a4c0cc4d9209f31b13eeed3533d5e13c969bc7cc7fcd436867cca345fd3677f953f488a91b0eb25

    Download Submit

  • memory/188-190-0x0000000000000000-mapping.dmp

    Download

  • memory/492-193-0x0000000000000000-mapping.dmp

    Download

  • memory/1796-179-0x0000000000000000-mapping.dmp

    Download

  • memory/1808-181-0x0000000000000000-mapping.dmp

    Download

  • memory/1808-184-0x0000000002FF0000-0x0000000002FFF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1808-183-0x0000000002FD0000-0x0000000002FDC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2272-188-0x0000000000000000-mapping.dmp

    Download

  • memory/2628-192-0x0000000000000000-mapping.dmp

    Download

  • memory/3076-191-0x0000000000000000-mapping.dmp

    Download

  • memory/3156-185-0x0000000000000000-mapping.dmp

    Download

  • memory/3164-119-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3164-118-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3164-123-0x0000025CE5100000-0x0000025CE6FF5000-memory.dmp

    Filesize

    31.0MB

    Download

  • memory/3164-117-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3164-116-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3164-122-0x00007FFB9C6D0000-0x00007FFB9D7BE000-memory.dmp

    Filesize

    16.9MB

    Download

  • memory/3164-114-0x00007FF6011A0000-0x00007FF604756000-memory.dmp

    Filesize

    53.7MB

    Download

  • memory/3164-115-0x00007FFB7C310000-0x00007FFB7C320000-memory.dmp

    Filesize

    64KB

    Download