Analysis

  • max time kernel
    119s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    14-06-2021 15:17

General

  • Target

    material_06.21.doc

  • Size

    49KB

  • MD5

    90f830f394798beeab08062829ad1103

  • SHA1

    14ae965eadf99d78177ca24544de9f7b1d35a744

  • SHA256

    54f88a13720f577d84c6e97491f588e7c79b4b6e9df490faef663de2c19cc12c

  • SHA512

    4f141b38a11ab279d981ac944ba9fb0e3614cfaabd30dccb8ae0f3859a0c904bf1c5089060311efced85becfb3b88954c33a1712aae3e2b3566432eb49cd4f76

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\material_06.21.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1668
    • \??\c:\windows\explorer.exe
      c:\\windows\\explorer c:\programdata\trustPtr.hta
      2⤵
      • Process spawned unexpected child process
      PID:1748
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:472
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\trustPtr.hta"
        2⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\users\public\trustPtr.jpg
          3⤵
          • Loads dropped DLL
          PID:1752

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\trustPtr.hta
      MD5

      a44ac441f49d4b76a771923067edf8ff

      SHA1

      342b41342ce8254b308b0ab7708f904913593c0d

      SHA256

      3b83b1e9090c40d855c8224479da9bbd80d3eb8184b6fc063feb66a27ff9153a

      SHA512

      8ab60ec33efa83f243ca980e4d882e3a95b86e3a383677c57ac1f4d329f2f1695841d3d24995291435d182b281073f332cdd2daf254349f3ab2c6a24b013d6f9

    • \??\c:\users\public\trustPtr.jpg
      MD5

      e07516d686514996cab6e9bf1454bd1d

      SHA1

      d6171de3aefb3693e052dabbea030d86a75a9619

      SHA256

      9c943c355fe788e2fa4b588105dc6d486640dda4b524fa237945c15daa426252

      SHA512

      32e7df3f3e09973850502ac30c2ac4327703b67f6461eb49089119919415da30fe8faa1f24f3be15802d2196db9272b59cd945cb13d258811117284f73f8f86b

    • \Users\Public\trustPtr.jpg
      MD5

      e07516d686514996cab6e9bf1454bd1d

      SHA1

      d6171de3aefb3693e052dabbea030d86a75a9619

      SHA256

      9c943c355fe788e2fa4b588105dc6d486640dda4b524fa237945c15daa426252

      SHA512

      32e7df3f3e09973850502ac30c2ac4327703b67f6461eb49089119919415da30fe8faa1f24f3be15802d2196db9272b59cd945cb13d258811117284f73f8f86b

    • memory/472-67-0x0000000000000000-mapping.dmp
    • memory/1632-69-0x0000000002C70000-0x0000000002C71000-memory.dmp
      Filesize

      4KB

    • memory/1632-66-0x0000000000000000-mapping.dmp
    • memory/1668-59-0x00000000726F1000-0x00000000726F4000-memory.dmp
      Filesize

      12KB

    • memory/1668-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1668-60-0x0000000070171000-0x0000000070173000-memory.dmp
      Filesize

      8KB

    • memory/1668-77-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1748-63-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp
      Filesize

      8KB

    • memory/1748-62-0x0000000000000000-mapping.dmp
    • memory/1752-70-0x0000000000000000-mapping.dmp
    • memory/1752-71-0x00000000753B1000-0x00000000753B3000-memory.dmp
      Filesize

      8KB

    • memory/1752-74-0x000000006B170000-0x000000006B17D000-memory.dmp
      Filesize

      52KB

    • memory/1752-75-0x000000006B170000-0x000000006B21F000-memory.dmp
      Filesize

      700KB

    • memory/1752-76-0x0000000000340000-0x0000000000341000-memory.dmp
      Filesize

      4KB