Analysis
-
max time kernel
96s -
max time network
22s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-06-2021 14:09
Static task
static1
Behavioral task
behavioral1
Sample
ordain.06.21.2021.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ordain.06.21.2021.doc
Resource
win10v20210408
General
-
Target
ordain.06.21.2021.doc
-
Size
49KB
-
MD5
13731c9cb360c300137bcb1779267f41
-
SHA1
cf816dc25baf65c92550452e3abe7f871af7f55a
-
SHA256
89816b893e66ff5eb9a42c14a2223e451e178c944438365ccecc9a8d1d64e6e8
-
SHA512
819e65feef603801ef28fd17a986085df277e5cb36c701a2471c00a4714ce51e376f4644ff9c264222bd35ec7192d4f62675673570a8633e330d337b921c1756
Malware Config
Extracted
gozi_ifsb
6000
authd.feronok.com
app.bighomegl.at
-
build
250204
-
exe_type
loader
-
server_id
580
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 820 792 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 6 276 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 948 regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 792 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exedescription pid process target process PID 792 wrote to memory of 820 792 WINWORD.EXE explorer.exe PID 792 wrote to memory of 820 792 WINWORD.EXE explorer.exe PID 792 wrote to memory of 820 792 WINWORD.EXE explorer.exe PID 792 wrote to memory of 820 792 WINWORD.EXE explorer.exe PID 836 wrote to memory of 276 836 explorer.exe mshta.exe PID 836 wrote to memory of 276 836 explorer.exe mshta.exe PID 836 wrote to memory of 276 836 explorer.exe mshta.exe PID 836 wrote to memory of 276 836 explorer.exe mshta.exe PID 792 wrote to memory of 1000 792 WINWORD.EXE splwow64.exe PID 792 wrote to memory of 1000 792 WINWORD.EXE splwow64.exe PID 792 wrote to memory of 1000 792 WINWORD.EXE splwow64.exe PID 792 wrote to memory of 1000 792 WINWORD.EXE splwow64.exe PID 276 wrote to memory of 948 276 mshta.exe regsvr32.exe PID 276 wrote to memory of 948 276 mshta.exe regsvr32.exe PID 276 wrote to memory of 948 276 mshta.exe regsvr32.exe PID 276 wrote to memory of 948 276 mshta.exe regsvr32.exe PID 276 wrote to memory of 948 276 mshta.exe regsvr32.exe PID 276 wrote to memory of 948 276 mshta.exe regsvr32.exe PID 276 wrote to memory of 948 276 mshta.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ordain.06.21.2021.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer c:\programdata\memoryCurrencyTable.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\memoryCurrencyTable.hta"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\memoryCurrencyTable.jpg3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\memoryCurrencyTable.htaMD5
c13c6a2a4422d7f7122277317c172ead
SHA1ccc044e0e5771e4962bcee4339ac35571644f886
SHA2565deccd97c3d07d1a7243b42c5a841fe1fe23f9295dd5e19ba81f33867d0a848c
SHA512e4595df0a2ae52cf41c7655956371357b5174f4afba40c9f07e0e9196062061653eb98d7dca34ce28affeca18addf13d55affcec7bde9599979b91b28d501d3e
-
\??\c:\users\public\memoryCurrencyTable.jpgMD5
79c48d1bb51793cff43f607662fad05e
SHA1b52e8a5486d6d83e57b5f0346ff1530d96b4a263
SHA2562d50c6c2308b478ec2eeef4ddac027f5bf3a90ba9b8b689e74249e0e0ef21a4c
SHA5126360de3f7226646c62e1cb7f19e9b110d2b46f8ee115afb52b14721cf53e98632cbe5b6ac794cbe8756008016e4205af49b97b9dcdb22a14cf1162e0733f0c41
-
\Users\Public\memoryCurrencyTable.jpgMD5
79c48d1bb51793cff43f607662fad05e
SHA1b52e8a5486d6d83e57b5f0346ff1530d96b4a263
SHA2562d50c6c2308b478ec2eeef4ddac027f5bf3a90ba9b8b689e74249e0e0ef21a4c
SHA5126360de3f7226646c62e1cb7f19e9b110d2b46f8ee115afb52b14721cf53e98632cbe5b6ac794cbe8756008016e4205af49b97b9dcdb22a14cf1162e0733f0c41
-
memory/276-68-0x0000000000000000-mapping.dmp
-
memory/792-60-0x0000000072071000-0x0000000072074000-memory.dmpFilesize
12KB
-
memory/792-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/792-61-0x000000006FAF1000-0x000000006FAF3000-memory.dmpFilesize
8KB
-
memory/820-64-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/820-65-0x000000006A951000-0x000000006A953000-memory.dmpFilesize
8KB
-
memory/820-63-0x0000000000000000-mapping.dmp
-
memory/836-66-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB
-
memory/948-71-0x0000000000000000-mapping.dmp
-
memory/948-76-0x000000006A880000-0x000000006A96A000-memory.dmpFilesize
936KB
-
memory/948-75-0x000000006A880000-0x000000006A88D000-memory.dmpFilesize
52KB
-
memory/948-77-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1000-69-0x0000000000000000-mapping.dmp