Overview

overview

10

Static

static

8

tr_4.xls

windows7_x64

6

tr_4.xls

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    14-07-2020 05:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tr_4.xls

  • Size

    90KB

  • MD5

    4cabdfd852c1c7fe830508cec8dd0982

  • SHA1

    ee530e442bdf28a4834bca1922be2dd54761c6d5

  • SHA256

    7bbbb364b218aa3da80f1c8e8e43e389a71811dcf1d1fe63be8e7a85a3ac0fd0

  • SHA512

    a6ec25d43a123a9a9b7f5005a7acd7b9bad3f3142f0b29d9c43b993fabec22e8926f29f324e85a050ed832a2c4c594802906705ed89ac7460e818188c0b8cd2a

Score
10/10
discoveryspywarebankertrojangozi_ifsbursnifratstealerpony

Malware Config

Signatures

  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Suspicious use of WriteProcessMemory 76 IoCs
  • Suspicious behavior: EnumeratesProcesses 1925 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Checks for installed software on the system 1 TTPs 7 IoCs
    discovery
  • Executes dropped EXE 1 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Checks whether UAC is enabled 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 96 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetThreadContext
    PID:3020
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\tr_4.xls"
      2⤵
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: AddClipboardFormatListener
      • Checks processor information in registry
      PID:3684
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s /i dDdoiBj.ocx
        3⤵
        • Suspicious use of WriteProcessMemory
        • Process spawned unexpected child process
        PID:2588
        • C:\Windows\SysWOW64\regsvr32.exe
          /s /i dDdoiBj.ocx
          4⤵
          • Suspicious use of WriteProcessMemory
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          PID:2640
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\System32\svchost.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            • Suspicious behavior: EnumeratesProcesses
            • Checks for installed software on the system
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            PID:1008
            • C:\Windows\SysWOW64\cmd.exe
              cmd /K
              6⤵
                PID:1204
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\System32\svchost.exe
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1492
              • C:\Users\Admin\AppData\Local\Temp\BN2D25.tmp
                C:\Users\Admin\AppData\Local\Temp\BN2D25.tmp
                6⤵
                • Executes dropped EXE
                PID:1756
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 668
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Program crash
              PID:2144
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2FFAFA40-C261-3936-44D3-167DB8B7AA01\\\Addrient'));if(!window.flag)close()</script>"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\2FFAFA40-C261-3936-44D3-167DB8B7AA01").appiness))
          3⤵
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetThreadContext
          PID:3376
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2uf0qoog\2uf0qoog.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4024
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9277.tmp" "c:\Users\Admin\AppData\Local\Temp\2uf0qoog\CSC34BDC6584AD24D90853E8CE642A0B1BC.TMP"
              5⤵
                PID:1160
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mswhtq3l\mswhtq3l.cmdline"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:912
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9313.tmp" "c:\Users\Admin\AppData\Local\Temp\mswhtq3l\CSC34B0182361C643F483B2E23F8A9FC592.TMP"
                5⤵
                  PID:3184
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\BN2D25.tmp"
            2⤵
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            • Suspicious use of SetThreadContext
            PID:2232
            • C:\Windows\system32\PING.EXE
              ping localhost -n 5
              3⤵
              • Runs ping.exe
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              PID:484
          • C:\Windows\system32\cmd.exe
            cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\1ACE.bi1"
            2⤵
              PID:3464
              • C:\Windows\system32\nslookup.exe
                nslookup myip.opendns.com resolver1.opendns.com
                3⤵
                  PID:1000
              • C:\Windows\system32\cmd.exe
                cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\D3E.bi1"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3480
                • C:\Windows\system32\nslookup.exe
                  nslookup myip.opendns.com resolver1.opendns.com
                  3⤵
                    PID:1964
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\1ACE.bi1"
                  2⤵
                    PID:2176
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D3E.bi1"
                    2⤵
                      PID:2240
                    • C:\Program Files\Windows Mail\WinMail.exe
                      "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                      2⤵
                        PID:2332
                    • C:\Windows\System32\RuntimeBroker.exe
                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                      1⤵
                        PID:3392
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        • Suspicious use of FindShellTrayWindow
                        • Modifies Internet Explorer settings
                        • Suspicious use of SetWindowsHookEx
                        • Checks whether UAC is enabled
                        PID:1900
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:82945 /prefetch:2
                          2⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of SetWindowsHookEx
                          • Checks whether UAC is enabled
                          PID:4004
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:82952 /prefetch:2
                          2⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of SetWindowsHookEx
                          • Checks whether UAC is enabled
                          PID:3448

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/1008-4-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/1008-6-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                        Download

                      • memory/1492-8-0x000000000BC00000-0x000000000BC12000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/1492-10-0x000000000BC00000-0x000000000BC12000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/1756-14-0x0000000000DE6000-0x0000000000DE7000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1756-15-0x00000000011A0000-0x00000000011A1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2144-19-0x0000000004630000-0x0000000004631000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2144-24-0x0000000004970000-0x0000000004971000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2640-74-0x0000000003470000-0x0000000003471000-memory.dmp

                        Filesize

                        4KB

                        Download