Overview

overview

10

Static

static

8

infectedmars2021.doc

windows7-x64

10

infectedmars2021.doc

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    infectedmars2021.doc

  • Size

    4.3MB

  • MD5

    0c8555a71a055a1e553ffe8865cb3ea6

  • SHA1

    a8e77218bdb915adec62580f95d3a8a679b18215

  • SHA256

    2a7811607023a04ca559e46d7106588f4542af11352972ff84d28b49e59d4507

  • SHA512

    ebd784a06b35e8affee01c16f599bdb99336ee5d720e540a56b550579b201d0a04d030cc412b9a120158e5c2ec5bb8e2c5b71fcc810c117f8c290377c87973a9

  • SSDEEP

    49152:oVUg5AfUb76jl/PTV0maWj4qO4eiJbFFYRKFZW+sYzbtqrDpee26:o6gF2jxPpbaWjRnuv

Score
10/10
gozi5513bankerdiscoveryisfbtrojan

Malware Config

Extracted

Family

gozi

Extracted

Family

gozi

Botnet

5513

C2

greenwoodgrace.website

Attributes
  • base_path

    /manifest/

  • build

    250187

  • dga_season

    10

  • exe_type

    loader

  • extension

    .cnx

  • server_id

    12

rsa_pubkey.plain
serpent.plain

Signatures

  • Gozi

    Gozi is a well-known and widely distributed banking trojan.

    bankertrojangozi
  • Gozi family
    gozi
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\infectedmars2021.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3096
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c c:\programdata\Milne.CMD
      2⤵
      • Process spawned unexpected child process
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\brainw\Audiobook.vbs"
        3⤵
          PID:2232
        • C:\Windows\system32\PING.EXE
          ping w 5000 ya.fr
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:508
        • C:\Windows\system32\PING.EXE
          ping w 5000 htr-oi.io
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4120
        • C:\Windows\system32\regsvr32.exe
          regsvr32 -s c:\brainw\name1.dll
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4596
          • C:\Windows\SysWOW64\regsvr32.exe
            -s c:\brainw\name1.dll
            4⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:1684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\TCDC0A4.tmp\gb.xsl
      Filesize

      262KB

      MD5

      51d32ee5bc7ab811041f799652d26e04

      SHA1

      412193006aa3ef19e0a57e16acf86b830993024a

      SHA256

      6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

      SHA512

      5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      2KB

      MD5

      6504f6c52b57452db74d21a5dcb1fc2e

      SHA1

      7900c671f5498fe43531cc140896d37c95f22d83

      SHA256

      e99205bbec68a2652077e91fab46cdfc6e423e69134f361b1eb89cde3a00cccd

      SHA512

      f12e4933926df24b66b34d128e4ec73ee23516927f28cba62a7431909a2978f771668ec704268f2ea14b53638cd9e15f5f6b94f39f274c73c51f20d58a2d580d

      Download Submit

    • C:\brainw\Audiobook.vbs
      Filesize

      1.1MB

      MD5

      72c67436a89961707eb873fba9a0371b

      SHA1

      c7e18ca8b054e3d7af0d189224a370258e621be1

      SHA256

      cadd5665efe629e813c90a10aa4aadd047f056402be591901573f0bf5ebdaa59

      SHA512

      16851728c04cea0252932d2aea4f61df3d5cc976a65fef1950d8b7f6cf34cd645e8ad429cc2b1b966789a4774b72f09c91c02010224548c689dca3522ad7c783

      Download Submit

    • \??\c:\brainw\name1.dll
      Filesize

      586KB

      MD5

      45fce7fad17e37916456694865b10bf4

      SHA1

      dc2e64142432586caef9205f959181fb3d26c301

      SHA256

      9b46b746e0838a160ceaa31bcde6d7eda49c3a065b7f50a3a29577ab6fda1023

      SHA512

      132945f1d638dc042d5d37056a3c6faba581d08dda46c02320b693caf3160a3fafdde2c31deb6ed85e6f14113a55dbdb6b53cadf0b316b6b8ecd87272c14a231

      Download Submit

    • \??\c:\programdata\Milne.CMD
      Filesize

      1.1MB

      MD5

      32a99b29a0e80abfc2bbfe8a785324a1

      SHA1

      759fac2f1d0f63d5ff7c8ef54ea3c8bcb9243856

      SHA256

      9f2d02ea06d235ef599acaede041bbb576731bb273045296caf395a2765d786c

      SHA512

      d580790cbccc11a61a4ffac75c72c56653177e64faefea8ab1a175bf8760d0757cf18929d244342d93448734768d8949b3d2d897660f2b0b3cbcd7fd6ab89774

      Download Submit

    • memory/1684-499-0x00000000753F0000-0x00000000754D9000-memory.dmp

      Filesize

      932KB

      Download

    • memory/1684-498-0x00000000753F0000-0x00000000754D9000-memory.dmp

      Filesize

      932KB

      Download

    • memory/1684-489-0x00000000753F0000-0x00000000754D9000-memory.dmp

      Filesize

      932KB

      Download

    • memory/1684-488-0x00000000753F0000-0x00000000754D9000-memory.dmp

      Filesize

      932KB

      Download

    • memory/3096-28-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-44-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-19-0x00007FFA7E440000-0x00007FFA7E450000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-18-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-15-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-14-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-17-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-9-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-8-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-7-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-6-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-0-0x00007FFA80BF0000-0x00007FFA80C00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-29-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-38-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-39-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-16-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-13-0x00007FFA7E440000-0x00007FFA7E450000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-52-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-53-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-54-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-10-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-63-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-64-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-65-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-11-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-12-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3096-5-0x00007FFA80BF0000-0x00007FFA80C00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-4-0x00007FFA80BF0000-0x00007FFA80C00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-2-0x00007FFA80BF0000-0x00007FFA80C00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-1-0x00007FFA80BF0000-0x00007FFA80C00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3096-3-0x00007FFAC0C0D000-0x00007FFAC0C0E000-memory.dmp

      Filesize

      4KB

      Download