Analysis
-
max time kernel
118s -
max time network
156s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-06-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
certificate.06.21.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
certificate.06.21.doc
Resource
win10v20210410
General
-
Target
certificate.06.21.doc
-
Size
50KB
-
MD5
778c7f21764d2fc338a5abfa2becfb35
-
SHA1
39dfa04561018e6dc4590bb6530ca2b2d5351183
-
SHA256
cc70447b7be5068a55ad34baa92ebd524a00e0a4a210b69fa16d4bf84f48e239
-
SHA512
2f3c868240b63c3e179006c9919e91f1330fc9e6bfc06e65d2484e2e10418d3dd3094c903747cfe5e2035b31850059c5bb046f8791554341fe29756b68fa8d6a
Malware Config
Extracted
gozi_ifsb
6000
authd.feronok.com
app.bighomegl.at
-
build
250204
-
exe_type
loader
-
server_id
580
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
explorer.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1888 1668 explorer.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 5 1360 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1796 regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1668 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE 1668 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
WINWORD.EXEexplorer.exemshta.exedescription pid process target process PID 1668 wrote to memory of 1888 1668 WINWORD.EXE explorer.exe PID 1668 wrote to memory of 1888 1668 WINWORD.EXE explorer.exe PID 1668 wrote to memory of 1888 1668 WINWORD.EXE explorer.exe PID 1668 wrote to memory of 1888 1668 WINWORD.EXE explorer.exe PID 1744 wrote to memory of 1360 1744 explorer.exe mshta.exe PID 1744 wrote to memory of 1360 1744 explorer.exe mshta.exe PID 1744 wrote to memory of 1360 1744 explorer.exe mshta.exe PID 1744 wrote to memory of 1360 1744 explorer.exe mshta.exe PID 1668 wrote to memory of 1540 1668 WINWORD.EXE splwow64.exe PID 1668 wrote to memory of 1540 1668 WINWORD.EXE splwow64.exe PID 1668 wrote to memory of 1540 1668 WINWORD.EXE splwow64.exe PID 1668 wrote to memory of 1540 1668 WINWORD.EXE splwow64.exe PID 1360 wrote to memory of 1796 1360 mshta.exe regsvr32.exe PID 1360 wrote to memory of 1796 1360 mshta.exe regsvr32.exe PID 1360 wrote to memory of 1796 1360 mshta.exe regsvr32.exe PID 1360 wrote to memory of 1796 1360 mshta.exe regsvr32.exe PID 1360 wrote to memory of 1796 1360 mshta.exe regsvr32.exe PID 1360 wrote to memory of 1796 1360 mshta.exe regsvr32.exe PID 1360 wrote to memory of 1796 1360 mshta.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\certificate.06.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer c:\programdata\vbaQueryCount.hta2⤵
- Process spawned unexpected child process
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\vbaQueryCount.hta"2⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\vbaQueryCount.jpg3⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vbaQueryCount.htaMD5
8333d57a044a01797f6e120b4c1b1dc2
SHA1e726e247c84dda75df1963d5899c22093291062c
SHA256dddcc267ce697c5ec06aacdaf884d2eced853e987aef4767472d491db9903258
SHA512af1223a529ff5bea9c4ff18068aa83cb55e0b6fea2076672cbd8e6c633ebe76e3fd75b1275710eaf36e3991916645b3b4b3f5877f88dae339ec1a60923b26393
-
\??\c:\users\public\vbaQueryCount.jpgMD5
81a57502787fd832d141625494bc6e61
SHA173025e06eb644652e5f43d050663b041f687e53f
SHA256e1c8e34791daee490ba154c10dddf0d43d4cc6910fb08debbd5c722e722ea551
SHA512aecdf00d939762880c15de0f9377d1a3d4dcbe5f9bbd8d272003bfccc38f7314c862c45e0e387ef7d3ac13bb289136f39b32b7869ee22dd1175577d939c0dada
-
\Users\Public\vbaQueryCount.jpgMD5
81a57502787fd832d141625494bc6e61
SHA173025e06eb644652e5f43d050663b041f687e53f
SHA256e1c8e34791daee490ba154c10dddf0d43d4cc6910fb08debbd5c722e722ea551
SHA512aecdf00d939762880c15de0f9377d1a3d4dcbe5f9bbd8d272003bfccc38f7314c862c45e0e387ef7d3ac13bb289136f39b32b7869ee22dd1175577d939c0dada
-
memory/1360-67-0x0000000000000000-mapping.dmp
-
memory/1360-71-0x0000000002780000-0x0000000002781000-memory.dmpFilesize
4KB
-
memory/1540-69-0x0000000000000000-mapping.dmp
-
memory/1668-60-0x000000006FC31000-0x000000006FC33000-memory.dmpFilesize
8KB
-
memory/1668-59-0x00000000721B1000-0x00000000721B4000-memory.dmpFilesize
12KB
-
memory/1668-61-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1668-79-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1744-65-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmpFilesize
8KB
-
memory/1796-72-0x0000000000000000-mapping.dmp
-
memory/1796-77-0x0000000067540000-0x000000006762A000-memory.dmpFilesize
936KB
-
memory/1796-76-0x0000000067540000-0x000000006754D000-memory.dmpFilesize
52KB
-
memory/1796-78-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1888-62-0x0000000000000000-mapping.dmp
-
memory/1888-64-0x000000006ABB1000-0x000000006ABB3000-memory.dmpFilesize
8KB
-
memory/1888-63-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB