Overview

overview

10

Static

static

pliant.dll

windows7_x64

10

pliant.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    11-06-2020 15:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pliant.dll

  • Size

    270KB

  • MD5

    019c152a88c2efc4c7b42458a48f7f5c

  • SHA1

    1e6cc277d46f5fd5e7b915980deb8725c4a71726

  • SHA256

    d8885ce1f08167becda151811c6519af1bac2ad835acf60c7fa1130dad28fcd7

  • SHA512

    15457c7e7406aacf90bcdb281c3b00fc0f37923dfe660f23c4889a48091f877de6f7662bc13ee7c68cb6bb7bb39c1973d71ad4a8b50769893978c5163a64cfad

Score
10/10
bankertrojangozi_ifsbursnifspyware

Malware Config

Signatures

  • Suspicious use of SetThreadContext 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Checks whether UAC is enabled 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 1129 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3000
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\pliant.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\pliant.dll,#1
        3⤵
          PID:1864
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82\\\AxInrvps'));if(!window.flag)close()</script>"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82").AppCbcd))
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:2728
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hkodbdfp\hkodbdfp.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:60
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3113.tmp" "c:\Users\Admin\AppData\Local\Temp\hkodbdfp\CSCB0D0AD0D305D4DE6974DBE258215DBD8.TMP"
              5⤵
                PID:400
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eozjka5k\eozjka5k.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2016
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3327.tmp" "c:\Users\Admin\AppData\Local\Temp\eozjka5k\CSC5829F4FC40745378D33A181CEA95CF9.TMP"
                5⤵
                  PID:3108
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\pliant.dll"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            • Suspicious behavior: MapViewOfSection
            PID:2160
            • C:\Windows\system32\PING.EXE
              ping localhost -n 5
              3⤵
              • Runs ping.exe
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              PID:956
          • C:\Windows\system32\cmd.exe
            cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\700.bi1"
            2⤵
              PID:3724
              • C:\Windows\system32\nslookup.exe
                nslookup myip.opendns.com resolver1.opendns.com
                3⤵
                  PID:3444
              • C:\Windows\system32\cmd.exe
                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\700.bi1"
                2⤵
                  PID:772
                • C:\Program Files\Windows Mail\WinMail.exe
                  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                  2⤵
                    PID:3892
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                    PID:3548
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                    1⤵
                    • Modifies Internet Explorer settings
                    • Checks whether UAC is enabled
                    • Suspicious use of WriteProcessMemory
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of FindShellTrayWindow
                    PID:2224
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:82945 /prefetch:2
                      2⤵
                      • Modifies Internet Explorer settings
                      • Checks whether UAC is enabled
                      • Suspicious use of SetWindowsHookEx
                      PID:3660
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:82950 /prefetch:2
                      2⤵
                      • Modifies Internet Explorer settings
                      • Checks whether UAC is enabled
                      • Suspicious use of SetWindowsHookEx
                      PID:4064

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/956-18-0x000001FDF16F0000-0x000001FDF16F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2160-15-0x0000010CAC980000-0x0000010CAC981000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2160-19-0x0000010CAEC20000-0x0000010CAECD1000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/2728-13-0x0000016335BC0000-0x0000016335C71000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/3000-16-0x0000000006570000-0x0000000006621000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/3000-17-0x0000000006B30000-0x0000000006BE1000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/3000-12-0x00000000010C0000-0x00000000010C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3000-23-0x0000000006570000-0x0000000006621000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/3548-14-0x000001D204830000-0x000001D204831000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3892-22-0x000002099BE20000-0x000002099BE21000-memory.dmp

                    Filesize

                    4KB

                    Download