Analysis
-
max time kernel
99s -
max time network
93s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-06-2021 14:37
Static task
static1
Behavioral task
behavioral1
Sample
legal paper-06.18.2021.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
legal paper-06.18.2021.doc
Resource
win10v20210410
General
-
Target
legal paper-06.18.2021.doc
-
Size
45KB
-
MD5
431c63dfcdbee4be13b948b6340382ce
-
SHA1
f60de0bd4c89c99fc385f72636f50135387a3121
-
SHA256
9c3557c82143354e46734497c9237af055f29f8335460e26867e2662ca38926c
-
SHA512
f6471d7b7393dd2b5febbdde0b0ae4bf86fa3418afcb7443e906e0ca717d8700cbb86fcc0995cdd8667a87f349706f02956f1906033a3fe68644eced092f5b41
Malware Config
Extracted
gozi_ifsb
6000
authd.feronok.com
app.bighomegl.at
-
build
250204
-
exe_type
loader
-
server_id
580
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 324 1772 regsvr32.exe WINWORD.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 324 regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1088 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1088 WINWORD.EXE 1772 WINWORD.EXE 1772 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription pid process target process PID 1772 wrote to memory of 324 1772 WINWORD.EXE regsvr32.exe PID 1772 wrote to memory of 324 1772 WINWORD.EXE regsvr32.exe PID 1772 wrote to memory of 324 1772 WINWORD.EXE regsvr32.exe PID 1772 wrote to memory of 324 1772 WINWORD.EXE regsvr32.exe PID 1772 wrote to memory of 324 1772 WINWORD.EXE regsvr32.exe PID 1772 wrote to memory of 324 1772 WINWORD.EXE regsvr32.exe PID 1772 wrote to memory of 324 1772 WINWORD.EXE regsvr32.exe PID 1088 wrote to memory of 1184 1088 WINWORD.EXE splwow64.exe PID 1088 wrote to memory of 1184 1088 WINWORD.EXE splwow64.exe PID 1088 wrote to memory of 1184 1088 WINWORD.EXE splwow64.exe PID 1088 wrote to memory of 1184 1088 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\legal paper-06.18.2021.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 c:\programdata\pasteTmpRequest.jpg2⤵
- Process spawned unexpected child process
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.aclMD5
8405d652305dfa922f209ccc2e5cb07c
SHA14614db73a5e2c1d416e8acad7660e33483b47d95
SHA25668a4e0c2d7a56ce00d195574a90cce5ec21db934094568a87b68b61170a29cc6
SHA512412794b92e79428e61ef4e831258f8efd202301335fb92749f27b17f5ddac2f5569799deb0e5a8e37bbd8acdb1e8761f21c210f6ebd789f0d7a255bcd3e15b1d
-
\??\c:\programdata\pasteTmpRequest.jpgMD5
e4457128cf9d87849ef0251a6146738d
SHA1396fa3cbb7075c8b7a828682cdc44613840fe468
SHA2562e814617fc989bb95eec86c96114c76bab58c30256787ad9de8a7ffd2c808fe4
SHA51225019374a2f1e0476f773ff0b225e128cbc33fe66e01899a8772ec1597ac746b639e4db423301fef17502d0229cfa2c5371fff68e5581ef56ec0acd830add334
-
\ProgramData\pasteTmpRequest.jpgMD5
e4457128cf9d87849ef0251a6146738d
SHA1396fa3cbb7075c8b7a828682cdc44613840fe468
SHA2562e814617fc989bb95eec86c96114c76bab58c30256787ad9de8a7ffd2c808fe4
SHA51225019374a2f1e0476f773ff0b225e128cbc33fe66e01899a8772ec1597ac746b639e4db423301fef17502d0229cfa2c5371fff68e5581ef56ec0acd830add334
-
memory/324-66-0x0000000000000000-mapping.dmp
-
memory/324-67-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/324-70-0x00000000003B0000-0x0000000000440000-memory.dmpFilesize
576KB
-
memory/324-74-0x00000000003B0000-0x00000000003BD000-memory.dmpFilesize
52KB
-
memory/324-75-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1088-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1088-60-0x0000000070171000-0x0000000070173000-memory.dmpFilesize
8KB
-
memory/1088-59-0x00000000726F1000-0x00000000726F4000-memory.dmpFilesize
12KB
-
memory/1184-72-0x0000000000000000-mapping.dmp
-
memory/1184-73-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmpFilesize
8KB
-
memory/1772-71-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB