Resubmissions

15-09-2021 08:02

210915-jxlq9sdcap 10

21-06-2021 14:09

210621-9vqvyrxbas 10

Analysis

  • max time kernel
    96s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-06-2021 14:09

General

  • Target

    ordain.06.21.2021.doc

  • Size

    49KB

  • MD5

    13731c9cb360c300137bcb1779267f41

  • SHA1

    cf816dc25baf65c92550452e3abe7f871af7f55a

  • SHA256

    89816b893e66ff5eb9a42c14a2223e451e178c944438365ccecc9a8d1d64e6e8

  • SHA512

    819e65feef603801ef28fd17a986085df277e5cb36c701a2471c00a4714ce51e376f4644ff9c264222bd35ec7192d4f62675673570a8633e330d337b921c1756

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

authd.feronok.com

app.bighomegl.at

Attributes
  • build

    250204

  • exe_type

    loader

  • server_id

    580

rsa_pubkey.base64
serpent.plain

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ordain.06.21.2021.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\SysWOW64\explorer.exe
      explorer c:\programdata\memoryCurrencyTable.hta
      2⤵
      • Process spawned unexpected child process
      PID:820
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1000
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:836
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\memoryCurrencyTable.hta"
        2⤵
        • Blocklisted process makes network request
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:276
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\users\public\memoryCurrencyTable.jpg
          3⤵
          • Loads dropped DLL
          PID:948

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\memoryCurrencyTable.hta
      MD5

      c13c6a2a4422d7f7122277317c172ead

      SHA1

      ccc044e0e5771e4962bcee4339ac35571644f886

      SHA256

      5deccd97c3d07d1a7243b42c5a841fe1fe23f9295dd5e19ba81f33867d0a848c

      SHA512

      e4595df0a2ae52cf41c7655956371357b5174f4afba40c9f07e0e9196062061653eb98d7dca34ce28affeca18addf13d55affcec7bde9599979b91b28d501d3e

    • \??\c:\users\public\memoryCurrencyTable.jpg
      MD5

      79c48d1bb51793cff43f607662fad05e

      SHA1

      b52e8a5486d6d83e57b5f0346ff1530d96b4a263

      SHA256

      2d50c6c2308b478ec2eeef4ddac027f5bf3a90ba9b8b689e74249e0e0ef21a4c

      SHA512

      6360de3f7226646c62e1cb7f19e9b110d2b46f8ee115afb52b14721cf53e98632cbe5b6ac794cbe8756008016e4205af49b97b9dcdb22a14cf1162e0733f0c41

    • \Users\Public\memoryCurrencyTable.jpg
      MD5

      79c48d1bb51793cff43f607662fad05e

      SHA1

      b52e8a5486d6d83e57b5f0346ff1530d96b4a263

      SHA256

      2d50c6c2308b478ec2eeef4ddac027f5bf3a90ba9b8b689e74249e0e0ef21a4c

      SHA512

      6360de3f7226646c62e1cb7f19e9b110d2b46f8ee115afb52b14721cf53e98632cbe5b6ac794cbe8756008016e4205af49b97b9dcdb22a14cf1162e0733f0c41

    • memory/276-68-0x0000000000000000-mapping.dmp
    • memory/792-60-0x0000000072071000-0x0000000072074000-memory.dmp
      Filesize

      12KB

    • memory/792-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/792-61-0x000000006FAF1000-0x000000006FAF3000-memory.dmp
      Filesize

      8KB

    • memory/820-64-0x0000000075041000-0x0000000075043000-memory.dmp
      Filesize

      8KB

    • memory/820-65-0x000000006A951000-0x000000006A953000-memory.dmp
      Filesize

      8KB

    • memory/820-63-0x0000000000000000-mapping.dmp
    • memory/836-66-0x000007FEFB561000-0x000007FEFB563000-memory.dmp
      Filesize

      8KB

    • memory/948-71-0x0000000000000000-mapping.dmp
    • memory/948-76-0x000000006A880000-0x000000006A96A000-memory.dmp
      Filesize

      936KB

    • memory/948-75-0x000000006A880000-0x000000006A88D000-memory.dmp
      Filesize

      52KB

    • memory/948-77-0x0000000000230000-0x0000000000231000-memory.dmp
      Filesize

      4KB

    • memory/1000-69-0x0000000000000000-mapping.dmp