Analysis
-
max time kernel
119s -
max time network
166s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
14-06-2021 15:17
Static task
static1
Behavioral task
behavioral1
Sample
material_06.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
material_06.21.doc
Resource
win10v20210410
General
-
Target
material_06.21.doc
-
Size
49KB
-
MD5
90f830f394798beeab08062829ad1103
-
SHA1
14ae965eadf99d78177ca24544de9f7b1d35a744
-
SHA256
54f88a13720f577d84c6e97491f588e7c79b4b6e9df490faef663de2c19cc12c
-
SHA512
4f141b38a11ab279d981ac944ba9fb0e3614cfaabd30dccb8ae0f3859a0c904bf1c5089060311efced85becfb3b88954c33a1712aae3e2b3566432eb49cd4f76
Malware Config
Extracted
gozi_ifsb
6000
authd.feronok.com
app.bighomegl.at
-
build
250204
-
exe_type
loader
-
server_id
580
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1748 1668 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 5 1632 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1752 regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1668 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exedescription pid process target process PID 1668 wrote to memory of 1748 1668 WINWORD.EXE explorer.exe PID 1668 wrote to memory of 1748 1668 WINWORD.EXE explorer.exe PID 1668 wrote to memory of 1748 1668 WINWORD.EXE explorer.exe PID 1668 wrote to memory of 1748 1668 WINWORD.EXE explorer.exe PID 1704 wrote to memory of 1632 1704 explorer.exe mshta.exe PID 1704 wrote to memory of 1632 1704 explorer.exe mshta.exe PID 1704 wrote to memory of 1632 1704 explorer.exe mshta.exe PID 1704 wrote to memory of 1632 1704 explorer.exe mshta.exe PID 1668 wrote to memory of 472 1668 WINWORD.EXE splwow64.exe PID 1668 wrote to memory of 472 1668 WINWORD.EXE splwow64.exe PID 1668 wrote to memory of 472 1668 WINWORD.EXE splwow64.exe PID 1668 wrote to memory of 472 1668 WINWORD.EXE splwow64.exe PID 1632 wrote to memory of 1752 1632 mshta.exe regsvr32.exe PID 1632 wrote to memory of 1752 1632 mshta.exe regsvr32.exe PID 1632 wrote to memory of 1752 1632 mshta.exe regsvr32.exe PID 1632 wrote to memory of 1752 1632 mshta.exe regsvr32.exe PID 1632 wrote to memory of 1752 1632 mshta.exe regsvr32.exe PID 1632 wrote to memory of 1752 1632 mshta.exe regsvr32.exe PID 1632 wrote to memory of 1752 1632 mshta.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\material_06.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\explorer.exec:\\windows\\explorer c:\programdata\trustPtr.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\trustPtr.hta"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\trustPtr.jpg3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\trustPtr.htaMD5
a44ac441f49d4b76a771923067edf8ff
SHA1342b41342ce8254b308b0ab7708f904913593c0d
SHA2563b83b1e9090c40d855c8224479da9bbd80d3eb8184b6fc063feb66a27ff9153a
SHA5128ab60ec33efa83f243ca980e4d882e3a95b86e3a383677c57ac1f4d329f2f1695841d3d24995291435d182b281073f332cdd2daf254349f3ab2c6a24b013d6f9
-
\??\c:\users\public\trustPtr.jpgMD5
e07516d686514996cab6e9bf1454bd1d
SHA1d6171de3aefb3693e052dabbea030d86a75a9619
SHA2569c943c355fe788e2fa4b588105dc6d486640dda4b524fa237945c15daa426252
SHA51232e7df3f3e09973850502ac30c2ac4327703b67f6461eb49089119919415da30fe8faa1f24f3be15802d2196db9272b59cd945cb13d258811117284f73f8f86b
-
\Users\Public\trustPtr.jpgMD5
e07516d686514996cab6e9bf1454bd1d
SHA1d6171de3aefb3693e052dabbea030d86a75a9619
SHA2569c943c355fe788e2fa4b588105dc6d486640dda4b524fa237945c15daa426252
SHA51232e7df3f3e09973850502ac30c2ac4327703b67f6461eb49089119919415da30fe8faa1f24f3be15802d2196db9272b59cd945cb13d258811117284f73f8f86b
-
memory/472-67-0x0000000000000000-mapping.dmp
-
memory/1632-69-0x0000000002C70000-0x0000000002C71000-memory.dmpFilesize
4KB
-
memory/1632-66-0x0000000000000000-mapping.dmp
-
memory/1668-59-0x00000000726F1000-0x00000000726F4000-memory.dmpFilesize
12KB
-
memory/1668-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1668-60-0x0000000070171000-0x0000000070173000-memory.dmpFilesize
8KB
-
memory/1668-77-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1748-63-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmpFilesize
8KB
-
memory/1748-62-0x0000000000000000-mapping.dmp
-
memory/1752-70-0x0000000000000000-mapping.dmp
-
memory/1752-71-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1752-74-0x000000006B170000-0x000000006B17D000-memory.dmpFilesize
52KB
-
memory/1752-75-0x000000006B170000-0x000000006B21F000-memory.dmpFilesize
700KB
-
memory/1752-76-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB