Analysis

  • max time kernel
    273s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18-06-2021 14:32

General

  • Target

    instruct_06.21.doc

  • Size

    45KB

  • MD5

    b21183bab3178f2dcd753e9d079501d4

  • SHA1

    d4bc00863ed58580f568de4152dade19df2e8a08

  • SHA256

    943660aff538730507a4e2feb526a1441024ef48e7aaa4515088c80062658f56

  • SHA512

    1fff8e91407ed20d885e9d309c72d775295993f0dfc7587d37494ca66c8b6d0fe2343f4972db00ffcec5585a331c18cfcebd2c1082639fe01f696c9f9121a958

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\instruct_06.21.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1740
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 c:\programdata\leftStructBorder.jpg
        2⤵
        • Process spawned unexpected child process
        • Loads dropped DLL
        PID:1828
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1852

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Defense Evasion

      Modify Registry

      1
      T1112

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl
        MD5

        26af2941494a3e84960aa48eb13f31a8

        SHA1

        4bbacbcc973075d7957b4b9c40a9341ef1976a84

        SHA256

        4fa31d83b5fcde512f9649ee243e0811c59c0f773154d8216f85dcd584e82fcb

        SHA512

        dfc28e1a593fd30184dfe7b13a0425d598ce75e0d32144998f7ce3098c9cbf5ddd893d75665bdf3c38e9660dcf53c513401361692a4b7126bdaf431143a25d10

      • \??\c:\programdata\leftStructBorder.jpg
        MD5

        28a12a56e6727296f8cb5de148a006cd

        SHA1

        969c92516f04daf3c23fc71160749b0196aca0de

        SHA256

        e7c2f8fcbe5e55b76a93777362c62fdec9c6e067dae4647b0e135040b32fa39f

        SHA512

        f60c0e79349fe4a403745a1727c9ff6acdeb43039625ff946f80baea3aa84261da448561a21ed3d720e58ab8d4417b8477167c6a71e6fd39cc031f58a23fcfe6

      • \ProgramData\leftStructBorder.jpg
        MD5

        28a12a56e6727296f8cb5de148a006cd

        SHA1

        969c92516f04daf3c23fc71160749b0196aca0de

        SHA256

        e7c2f8fcbe5e55b76a93777362c62fdec9c6e067dae4647b0e135040b32fa39f

        SHA512

        f60c0e79349fe4a403745a1727c9ff6acdeb43039625ff946f80baea3aa84261da448561a21ed3d720e58ab8d4417b8477167c6a71e6fd39cc031f58a23fcfe6

      • memory/1208-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

      • memory/1208-60-0x000000006FE01000-0x000000006FE03000-memory.dmp
        Filesize

        8KB

      • memory/1208-59-0x0000000072381000-0x0000000072384000-memory.dmp
        Filesize

        12KB

      • memory/1740-72-0x0000000000000000-mapping.dmp
      • memory/1740-73-0x000007FEFB881000-0x000007FEFB883000-memory.dmp
        Filesize

        8KB

      • memory/1828-66-0x0000000000000000-mapping.dmp
      • memory/1828-67-0x0000000075561000-0x0000000075563000-memory.dmp
        Filesize

        8KB

      • memory/1828-70-0x00000000001B0000-0x0000000000240000-memory.dmp
        Filesize

        576KB

      • memory/1828-74-0x00000000001B0000-0x00000000001BD000-memory.dmp
        Filesize

        52KB

      • memory/1828-75-0x0000000000350000-0x0000000000351000-memory.dmp
        Filesize

        4KB

      • memory/1980-71-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB