Overview

overview

10

Static

static

8

dettare-04...21.doc

windows7_x64

10

dettare-04...21.doc

windows10_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-04-2021 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dettare-04.22.2021.doc

  • Size

    170KB

  • MD5

    7a505b0a54691e03015e62dc1424bae9

  • SHA1

    c723379191e2b61e00e78e93531a78aea7a4167f

  • SHA256

    ef9ce000152d2e164a2ad8b13e427d95c8bf6570f244d837ac969c1548f41e71

  • SHA512

    8519d6ac872f23b45aac4f848b64a37a7b62452e3effd471466e36a9831043e7e6468c2bbf3e42111fc7f87dbab1a76341effc5b308704a0028689e9a4ecf1cb

Score
10/10
gozi_ifsb4460bankertrojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

4460

C2

1.microsoft.com

horulenuke.us

vorulenuke.us
Attributes
  • build

    250190

  • dga_base_url

    constitution.org/usdeclar.txt

  • dga_crc

    0x4eb7d2ca

  • dga_season

    10

  • dga_tlds

    com

    ru

    org

  • exe_type

    loader

  • server_id

    12

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dettare-04.22.2021.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\SysWOW64\explorer.exe
      explorer c:\users\public\documentLoadGlobal.hta
      2⤵
      • Process spawned unexpected child process
      PID:2040
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1364
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\documentLoadGlobal.hta"
        2⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\users\public\documentLoadGlobal.jpg
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1236
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c cd oil Sn
            4⤵
              PID:2040
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c cd hole
              4⤵
                PID:548

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\documentLoadGlobal.hta
          MD5

          337a53f22afe61a4e897c090a4a8f5ad

          SHA1

          068c2dffcf31338fe30afb97f2eaaf15f3fe3113

          SHA256

          bccce6b4e738a51573ad1567e53fc720f4d18230e19858b1c243380d1dee2f2d

          SHA512

          4b288d5d35fc47d6e1963b9d912e5a8d3195616dbbb93374a5b62036d55b7c9b96d9606cedc0219515cdc5557a84b90cfc15b7b69ec9da9e7e267499d1d0d08a

          Download Submit
        • \??\c:\users\public\documentLoadGlobal.jpg
          MD5

          b514e86297f5ac02ced783857c8c5596

          SHA1

          ad85e415eb7eb857a6bdfa88509248ebf79a2760

          SHA256

          65c05be334fca2ed02d48dfeb7e7b0687860759d720e537d1cc4653d9c5e41d9

          SHA512

          79696f7f6e0857fd13ae660a6ca553eca03e3d2eea7cef1a827ab78d071c30561670a68a2ac8e652aace9f72a78803225af16b0ff7f62d09591078ea9dbfbdc1

          Download Submit
        • \Users\Public\documentLoadGlobal.jpg
          MD5

          b514e86297f5ac02ced783857c8c5596

          SHA1

          ad85e415eb7eb857a6bdfa88509248ebf79a2760

          SHA256

          65c05be334fca2ed02d48dfeb7e7b0687860759d720e537d1cc4653d9c5e41d9

          SHA512

          79696f7f6e0857fd13ae660a6ca553eca03e3d2eea7cef1a827ab78d071c30561670a68a2ac8e652aace9f72a78803225af16b0ff7f62d09591078ea9dbfbdc1

          Download Submit
        • memory/308-69-0x0000000005F20000-0x0000000006B6A000-memory.dmp
          Filesize

          12.3MB

          Download
        • memory/308-81-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/308-60-0x0000000072FC1000-0x0000000072FC4000-memory.dmp
          Filesize

          12KB

          Download
        • memory/308-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/308-61-0x0000000070A41000-0x0000000070A43000-memory.dmp
          Filesize

          8KB

          Download
        • memory/548-77-0x0000000000000000-mapping.dmp
          Download
        • memory/1216-68-0x0000000000000000-mapping.dmp
          Download
        • memory/1236-80-0x0000000000180000-0x0000000000181000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1236-79-0x000000006B6B0000-0x000000006B7A0000-memory.dmp
          Filesize

          960KB

          Download
        • memory/1236-78-0x000000006B6B0000-0x000000006B6BF000-memory.dmp
          Filesize

          60KB

          Download
        • memory/1236-72-0x0000000000000000-mapping.dmp
          Download
        • memory/1364-70-0x0000000000000000-mapping.dmp
          Download
        • memory/1972-66-0x000007FEFC661000-0x000007FEFC663000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2040-76-0x0000000000000000-mapping.dmp
          Download
        • memory/2040-65-0x000000006BAD1000-0x000000006BAD3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2040-64-0x0000000075A31000-0x0000000075A33000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2040-63-0x0000000000000000-mapping.dmp
          Download