gozi_ifsb | 80716bed129a179e1774b3d825fbb7348369acba937005e32dc3577684bc6425

General

Target

direct.06.21.doc
Size

45KB
MD5

fd6e7c4dc800744dd6fa8978e53f6d06
SHA1

cf3f4b86884bd1e09829d4b6068bba85fa38678a
SHA256

80716bed129a179e1774b3d825fbb7348369acba937005e32dc3577684bc6425
SHA512

ceb2a7abfe7aceef7ff87f14a970055d1cb99cf8aa082a94ad29bee3fc9f3e7e4fba316a6eaffefdd1516c455353119de39965d774a21216124e4fdec1db97af

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	832	804	regsvr32.exe	WINWORD.EXE

Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

832 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

pid	process
832	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1536 WINWORD.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
1536	WINWORD.EXE
804	WINWORD.EXE
804	WINWORD.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

description	pid	process	target process
PID 804 wrote to memory of 832	804	WINWORD.EXE	regsvr32.exe
PID 804 wrote to memory of 832	804	WINWORD.EXE	regsvr32.exe
PID 804 wrote to memory of 832	804	WINWORD.EXE	regsvr32.exe
PID 804 wrote to memory of 832	804	WINWORD.EXE	regsvr32.exe
PID 804 wrote to memory of 832	804	WINWORD.EXE	regsvr32.exe
PID 804 wrote to memory of 832	804	WINWORD.EXE	regsvr32.exe
PID 804 wrote to memory of 832	804	WINWORD.EXE	regsvr32.exe
PID 1536 wrote to memory of 1388	1536	WINWORD.EXE	splwow64.exe
PID 1536 wrote to memory of 1388	1536	WINWORD.EXE	splwow64.exe
PID 1536 wrote to memory of 1388	1536	WINWORD.EXE	splwow64.exe
PID 1536 wrote to memory of 1388	1536	WINWORD.EXE	splwow64.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\direct.06.21.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1388

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 c:\programdata\constException.jpg
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl
MD5
2e1daed386ad1fd05a062433d6a44d41

SHA1
269e26c5146f803c4953bc853152e33f5a187955

SHA256
939913b0b8210ae7a7abe12b5cc73b03fb30a708c21fedae1e435054a0e7eb5c

SHA512
fe86997742aef06171e2a354286f57bf36b43333de9ef893a4be3e1e74ae2440a912c50ed6b8ac33171615acc15a9ed8451a6ac74b5e49726754069c9c9e4567

Download Submit
\??\c:\programdata\constException.jpg
MD5
b5abe189b30447a976d6871501446c84

SHA1
7bbd1d674beaa4c8dd45529eb74caef59e831b1d

SHA256
4aa25c7a6d8d5438dfe28c8bd4a702df83ce6a23a48e909bb92a7753d0093176

SHA512
b4d92cc789387daf5b4866ec9ebd70e952b46d9dbdeb2e8c6ba0408f600b91e3f3b8e127bd2613d0eca10aabb2e3583a1d4f77312f303ce5eb293416a44b4a43

Download Submit
\ProgramData\constException.jpg
MD5
b5abe189b30447a976d6871501446c84

SHA1
7bbd1d674beaa4c8dd45529eb74caef59e831b1d

SHA256
4aa25c7a6d8d5438dfe28c8bd4a702df83ce6a23a48e909bb92a7753d0093176

SHA512
b4d92cc789387daf5b4866ec9ebd70e952b46d9dbdeb2e8c6ba0408f600b91e3f3b8e127bd2613d0eca10aabb2e3583a1d4f77312f303ce5eb293416a44b4a43

Download Submit
memory/804-71-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/832-66-0x0000000000000000-mapping.dmp

Download
memory/832-67-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/832-70-0x00000000001B0000-0x0000000000240000-memory.dmp

Filesize
576KB

Download
memory/832-74-0x00000000001B0000-0x00000000001BD000-memory.dmp

Filesize
52KB

Download
memory/832-75-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1388-72-0x0000000000000000-mapping.dmp

Download
memory/1388-73-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download
memory/1536-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1536-60-0x00000000707D1000-0x00000000707D3000-memory.dmp

Filesize
8KB

Download
memory/1536-59-0x0000000072D51000-0x0000000072D54000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads