Analysis
-
max time kernel
207s -
max time network
155s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
18-06-2021 14:35
Static task
static1
Behavioral task
behavioral1
Sample
direct.06.21.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
direct.06.21.doc
Resource
win10v20210410
General
-
Target
direct.06.21.doc
-
Size
45KB
-
MD5
fd6e7c4dc800744dd6fa8978e53f6d06
-
SHA1
cf3f4b86884bd1e09829d4b6068bba85fa38678a
-
SHA256
80716bed129a179e1774b3d825fbb7348369acba937005e32dc3577684bc6425
-
SHA512
ceb2a7abfe7aceef7ff87f14a970055d1cb99cf8aa082a94ad29bee3fc9f3e7e4fba316a6eaffefdd1516c455353119de39965d774a21216124e4fdec1db97af
Malware Config
Extracted
gozi_ifsb
6000
authd.feronok.com
app.bighomegl.at
-
build
250204
-
exe_type
loader
-
server_id
580
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 832 804 regsvr32.exe WINWORD.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 832 regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1536 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 1536 WINWORD.EXE 804 WINWORD.EXE 804 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription pid process target process PID 804 wrote to memory of 832 804 WINWORD.EXE regsvr32.exe PID 804 wrote to memory of 832 804 WINWORD.EXE regsvr32.exe PID 804 wrote to memory of 832 804 WINWORD.EXE regsvr32.exe PID 804 wrote to memory of 832 804 WINWORD.EXE regsvr32.exe PID 804 wrote to memory of 832 804 WINWORD.EXE regsvr32.exe PID 804 wrote to memory of 832 804 WINWORD.EXE regsvr32.exe PID 804 wrote to memory of 832 804 WINWORD.EXE regsvr32.exe PID 1536 wrote to memory of 1388 1536 WINWORD.EXE splwow64.exe PID 1536 wrote to memory of 1388 1536 WINWORD.EXE splwow64.exe PID 1536 wrote to memory of 1388 1536 WINWORD.EXE splwow64.exe PID 1536 wrote to memory of 1388 1536 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\direct.06.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 c:\programdata\constException.jpg2⤵
- Process spawned unexpected child process
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.aclMD5
2e1daed386ad1fd05a062433d6a44d41
SHA1269e26c5146f803c4953bc853152e33f5a187955
SHA256939913b0b8210ae7a7abe12b5cc73b03fb30a708c21fedae1e435054a0e7eb5c
SHA512fe86997742aef06171e2a354286f57bf36b43333de9ef893a4be3e1e74ae2440a912c50ed6b8ac33171615acc15a9ed8451a6ac74b5e49726754069c9c9e4567
-
\??\c:\programdata\constException.jpgMD5
b5abe189b30447a976d6871501446c84
SHA17bbd1d674beaa4c8dd45529eb74caef59e831b1d
SHA2564aa25c7a6d8d5438dfe28c8bd4a702df83ce6a23a48e909bb92a7753d0093176
SHA512b4d92cc789387daf5b4866ec9ebd70e952b46d9dbdeb2e8c6ba0408f600b91e3f3b8e127bd2613d0eca10aabb2e3583a1d4f77312f303ce5eb293416a44b4a43
-
\ProgramData\constException.jpgMD5
b5abe189b30447a976d6871501446c84
SHA17bbd1d674beaa4c8dd45529eb74caef59e831b1d
SHA2564aa25c7a6d8d5438dfe28c8bd4a702df83ce6a23a48e909bb92a7753d0093176
SHA512b4d92cc789387daf5b4866ec9ebd70e952b46d9dbdeb2e8c6ba0408f600b91e3f3b8e127bd2613d0eca10aabb2e3583a1d4f77312f303ce5eb293416a44b4a43
-
memory/804-71-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/832-66-0x0000000000000000-mapping.dmp
-
memory/832-67-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/832-70-0x00000000001B0000-0x0000000000240000-memory.dmpFilesize
576KB
-
memory/832-74-0x00000000001B0000-0x00000000001BD000-memory.dmpFilesize
52KB
-
memory/832-75-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1388-72-0x0000000000000000-mapping.dmp
-
memory/1388-73-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/1536-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1536-60-0x00000000707D1000-0x00000000707D3000-memory.dmpFilesize
8KB
-
memory/1536-59-0x0000000072D51000-0x0000000072D54000-memory.dmpFilesize
12KB