Analysis
-
max time kernel
273s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-06-2021 14:32
Static task
static1
Behavioral task
behavioral1
Sample
instruct_06.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
instruct_06.21.doc
Resource
win10v20210408
General
-
Target
instruct_06.21.doc
-
Size
45KB
-
MD5
b21183bab3178f2dcd753e9d079501d4
-
SHA1
d4bc00863ed58580f568de4152dade19df2e8a08
-
SHA256
943660aff538730507a4e2feb526a1441024ef48e7aaa4515088c80062658f56
-
SHA512
1fff8e91407ed20d885e9d309c72d775295993f0dfc7587d37494ca66c8b6d0fe2343f4972db00ffcec5585a331c18cfcebd2c1082639fe01f696c9f9121a958
Malware Config
Extracted
gozi_ifsb
6000
authd.feronok.com
app.bighomegl.at
-
build
250204
-
exe_type
loader
-
server_id
580
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1828 1980 regsvr32.exe WINWORD.EXE -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1828 regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1208 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1208 WINWORD.EXE 1980 WINWORD.EXE 1980 WINWORD.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription pid process target process PID 1980 wrote to memory of 1828 1980 WINWORD.EXE regsvr32.exe PID 1980 wrote to memory of 1828 1980 WINWORD.EXE regsvr32.exe PID 1980 wrote to memory of 1828 1980 WINWORD.EXE regsvr32.exe PID 1980 wrote to memory of 1828 1980 WINWORD.EXE regsvr32.exe PID 1980 wrote to memory of 1828 1980 WINWORD.EXE regsvr32.exe PID 1980 wrote to memory of 1828 1980 WINWORD.EXE regsvr32.exe PID 1980 wrote to memory of 1828 1980 WINWORD.EXE regsvr32.exe PID 1208 wrote to memory of 1740 1208 WINWORD.EXE splwow64.exe PID 1208 wrote to memory of 1740 1208 WINWORD.EXE splwow64.exe PID 1208 wrote to memory of 1740 1208 WINWORD.EXE splwow64.exe PID 1208 wrote to memory of 1740 1208 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\instruct_06.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 c:\programdata\leftStructBorder.jpg2⤵
- Process spawned unexpected child process
- Loads dropped DLL
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.aclMD5
26af2941494a3e84960aa48eb13f31a8
SHA14bbacbcc973075d7957b4b9c40a9341ef1976a84
SHA2564fa31d83b5fcde512f9649ee243e0811c59c0f773154d8216f85dcd584e82fcb
SHA512dfc28e1a593fd30184dfe7b13a0425d598ce75e0d32144998f7ce3098c9cbf5ddd893d75665bdf3c38e9660dcf53c513401361692a4b7126bdaf431143a25d10
-
\??\c:\programdata\leftStructBorder.jpgMD5
28a12a56e6727296f8cb5de148a006cd
SHA1969c92516f04daf3c23fc71160749b0196aca0de
SHA256e7c2f8fcbe5e55b76a93777362c62fdec9c6e067dae4647b0e135040b32fa39f
SHA512f60c0e79349fe4a403745a1727c9ff6acdeb43039625ff946f80baea3aa84261da448561a21ed3d720e58ab8d4417b8477167c6a71e6fd39cc031f58a23fcfe6
-
\ProgramData\leftStructBorder.jpgMD5
28a12a56e6727296f8cb5de148a006cd
SHA1969c92516f04daf3c23fc71160749b0196aca0de
SHA256e7c2f8fcbe5e55b76a93777362c62fdec9c6e067dae4647b0e135040b32fa39f
SHA512f60c0e79349fe4a403745a1727c9ff6acdeb43039625ff946f80baea3aa84261da448561a21ed3d720e58ab8d4417b8477167c6a71e6fd39cc031f58a23fcfe6
-
memory/1208-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1208-60-0x000000006FE01000-0x000000006FE03000-memory.dmpFilesize
8KB
-
memory/1208-59-0x0000000072381000-0x0000000072384000-memory.dmpFilesize
12KB
-
memory/1740-72-0x0000000000000000-mapping.dmp
-
memory/1740-73-0x000007FEFB881000-0x000007FEFB883000-memory.dmpFilesize
8KB
-
memory/1828-66-0x0000000000000000-mapping.dmp
-
memory/1828-67-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/1828-70-0x00000000001B0000-0x0000000000240000-memory.dmpFilesize
576KB
-
memory/1828-74-0x00000000001B0000-0x00000000001BD000-memory.dmpFilesize
52KB
-
memory/1828-75-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1980-71-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB