gozi_ifsb | 9c3557c82143354e46734497c9237af055f29f8335460e26867e2662ca38926c

General

Target

legal paper-06.18.2021.doc
Size

45KB
MD5

431c63dfcdbee4be13b948b6340382ce
SHA1

f60de0bd4c89c99fc385f72636f50135387a3121
SHA256

9c3557c82143354e46734497c9237af055f29f8335460e26867e2662ca38926c
SHA512

f6471d7b7393dd2b5febbdde0b0ae4bf86fa3418afcb7443e906e0ca717d8700cbb86fcc0995cdd8667a87f349706f02956f1906033a3fe68644eced092f5b41

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	324	1772	regsvr32.exe	WINWORD.EXE

Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

324 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
324	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1088 WINWORD.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1088	WINWORD.EXE
1772	WINWORD.EXE
1772	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

description	pid	process	target process
PID 1772 wrote to memory of 324	1772	WINWORD.EXE	regsvr32.exe
PID 1772 wrote to memory of 324	1772	WINWORD.EXE	regsvr32.exe
PID 1772 wrote to memory of 324	1772	WINWORD.EXE	regsvr32.exe
PID 1772 wrote to memory of 324	1772	WINWORD.EXE	regsvr32.exe
PID 1772 wrote to memory of 324	1772	WINWORD.EXE	regsvr32.exe
PID 1772 wrote to memory of 324	1772	WINWORD.EXE	regsvr32.exe
PID 1772 wrote to memory of 324	1772	WINWORD.EXE	regsvr32.exe
PID 1088 wrote to memory of 1184	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 1184	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 1184	1088	WINWORD.EXE	splwow64.exe
PID 1088 wrote to memory of 1184	1088	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal paper-06.18.2021.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1184

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\programdata\pasteTmpRequest.jpg
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl
MD5
8405d652305dfa922f209ccc2e5cb07c

SHA1
4614db73a5e2c1d416e8acad7660e33483b47d95

SHA256
68a4e0c2d7a56ce00d195574a90cce5ec21db934094568a87b68b61170a29cc6

SHA512
412794b92e79428e61ef4e831258f8efd202301335fb92749f27b17f5ddac2f5569799deb0e5a8e37bbd8acdb1e8761f21c210f6ebd789f0d7a255bcd3e15b1d

Download Submit
\??\c:\programdata\pasteTmpRequest.jpg
MD5
e4457128cf9d87849ef0251a6146738d

SHA1
396fa3cbb7075c8b7a828682cdc44613840fe468

SHA256
2e814617fc989bb95eec86c96114c76bab58c30256787ad9de8a7ffd2c808fe4

SHA512
25019374a2f1e0476f773ff0b225e128cbc33fe66e01899a8772ec1597ac746b639e4db423301fef17502d0229cfa2c5371fff68e5581ef56ec0acd830add334

Download Submit
\ProgramData\pasteTmpRequest.jpg
MD5
e4457128cf9d87849ef0251a6146738d

SHA1
396fa3cbb7075c8b7a828682cdc44613840fe468

SHA256
2e814617fc989bb95eec86c96114c76bab58c30256787ad9de8a7ffd2c808fe4

SHA512
25019374a2f1e0476f773ff0b225e128cbc33fe66e01899a8772ec1597ac746b639e4db423301fef17502d0229cfa2c5371fff68e5581ef56ec0acd830add334

Download Submit
memory/324-66-0x0000000000000000-mapping.dmp

Download
memory/324-67-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/324-70-0x00000000003B0000-0x0000000000440000-memory.dmp

Filesize
576KB

Download
memory/324-74-0x00000000003B0000-0x00000000003BD000-memory.dmp

Filesize
52KB

Download
memory/324-75-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1088-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1088-60-0x0000000070171000-0x0000000070173000-memory.dmp

Filesize
8KB

Download
memory/1088-59-0x00000000726F1000-0x00000000726F4000-memory.dmp

Filesize
12KB

Download
memory/1184-72-0x0000000000000000-mapping.dmp

Download
memory/1184-73-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/1772-71-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads