Overview

overview

10

Static

static

my_attach_p2v.js

windows7_x64

10

my_attach_p2v.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    02-06-2020 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    my_attach_p2v.js

  • Size

    1.3MB

  • MD5

    3bfdc69fe78e172ffe8c054d36596163

  • SHA1

    ecddf99225e7fb6940270ef115b5c275f48e5f0b

  • SHA256

    77ce825e2c50017520147fce8c85173fd63077ef97a07097b53ec61df9048b83

  • SHA512

    456162fff6f4c83df925fd2ead41c24001d1ab2982f7a8bc740b7d051e1697899fe24959ebb23569a40fead8e905becdd7786fad28a651cc73baa73f885864ce

Score
10/10
bankertrojanursnifspywaregozi_ifsb

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1560 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Checks whether UAC is enabled 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:2968
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\my_attach_p2v.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\tmDvhuQzZOS.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1344
        • C:\Windows\SysWOW64\regsvr32.exe
          -s C:\Users\Admin\AppData\Local\Temp\\tmDvhuQzZOS.txt
          4⤵
          • Loads dropped DLL
          PID:1516
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82\\\AxInrvps'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82").AppCbcd))
        3⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        PID:2952
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1pgmovxr\1pgmovxr.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1564
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE45B.tmp" "c:\Users\Admin\AppData\Local\Temp\1pgmovxr\CSC81789A80F20B48059E5D591694EA8650.TMP"
            5⤵
              PID:1236
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jk3cauk0\jk3cauk0.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5F1.tmp" "c:\Users\Admin\AppData\Local\Temp\jk3cauk0\CSCC471EB773862424181FBCE5947902EEA.TMP"
              5⤵
                PID:3680
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\tmDvhuQzZOS.txt"
          2⤵
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetThreadContext
          PID:3200
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:3552
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\24A5.bi1"
          2⤵
            PID:748
            • C:\Windows\system32\nslookup.exe
              nslookup myip.opendns.com resolver1.opendns.com
              3⤵
                PID:3640
            • C:\Windows\system32\cmd.exe
              cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\2125.bi1"
              2⤵
                PID:3396
                • C:\Windows\system32\nslookup.exe
                  nslookup myip.opendns.com resolver1.opendns.com
                  3⤵
                    PID:3632
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2125.bi1"
                  2⤵
                    PID:3752
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\24A5.bi1"
                    2⤵
                      PID:992
                    • C:\Program Files\Windows Mail\WinMail.exe
                      "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                      2⤵
                        PID:2344
                      • C:\Program Files\Windows Mail\WinMail.exe
                        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                        2⤵
                          PID:2168
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3368
                        • C:\Program Files\Internet Explorer\iexplore.exe
                          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of FindShellTrayWindow
                          • Modifies Internet Explorer settings
                          • Checks whether UAC is enabled
                          PID:3916
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3916 CREDAT:82945 /prefetch:2
                            2⤵
                            • Suspicious use of SetWindowsHookEx
                            • Modifies Internet Explorer settings
                            • Checks whether UAC is enabled
                            PID:3832
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3916 CREDAT:82950 /prefetch:2
                            2⤵
                            • Suspicious use of SetWindowsHookEx
                            • Modifies Internet Explorer settings
                            • Checks whether UAC is enabled
                            PID:3300

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/2168-29-0x00000292BD290000-0x00000292BD291000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2344-27-0x0000021876C60000-0x0000021876C61000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2952-14-0x0000024961DE0000-0x0000024961E91000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/2968-16-0x00000000053F0000-0x00000000054A1000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/2968-13-0x0000000000950000-0x0000000000951000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2968-28-0x00000000053F0000-0x00000000054A1000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/2968-20-0x00000000053F0000-0x00000000054A1000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/2968-30-0x00000000053F0000-0x00000000054A1000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/2968-18-0x00000000061D0000-0x0000000006281000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/3200-22-0x0000027848900000-0x00000278489B1000-memory.dmp

                          Filesize

                          708KB

                          Download

                        • memory/3200-17-0x00000278465E0000-0x00000278465E1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3368-15-0x0000021E334F0000-0x0000021E334F1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3552-21-0x000002AA4CA10000-0x000002AA4CA11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3916-19-0x0000016B6CEF0000-0x0000016B6CEF1000-memory.dmp

                          Filesize

                          4KB

                          Download