Overview

overview

10

Static

static

wJireyEV.tmp.exe

windows7_x64

10

wJireyEV.tmp.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    05-10-2020 15:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wJireyEV.tmp.exe

  • Size

    322KB

  • MD5

    573b56ffd42efd390404133286ad691d

  • SHA1

    218f00d9ce955f2f196a93ae92a1588f6f1c1b36

  • SHA256

    19bcb38fae9b117b3e440f076fe7a7ebf169581dd89e3c5b8614f356ee2c4277

  • SHA512

    c054573268a4bcbf0a18a1d236250a66f07ba7e0f6b378e5ae3bfc2aa3e38211d99fd837b586af08dc052e10b64e1c1d984d5c4683dbff9014e7315aad352328

Score
10/10
spywaretrojanbackdoorsmokeloaderbankergozi_ifsbursnif

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://etasuklavish.today/

http://mragyzmachnobesdi.today/

http://kimchinikuzims.today/

http://slacvostinrius.today/

http://straponuliusyn.today/

http://grammmdinss.today/

http://viprasputinsd.chimkent.su/

http://lupadypa.dagestan.su/

http://stoknolimchin.exnet.su/

http://musaroprovadnikov.live/

http://teemforyourexprensiti.life/

http://stolkgolmishutich.termez.su/

http://roompampamgandish.wtf/
rc4.i32
rc4.i32

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • ServiceHost packer 1 IoCs

    Detects ServiceHost packer used for .NET malware

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4555 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 90 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 97 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Deletes itself
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\wJireyEV.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\wJireyEV.tmp.exe"
      2⤵
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4016
    • C:\Users\Admin\AppData\Local\Temp\274F.tmp.exe
      C:\Users\Admin\AppData\Local\Temp\274F.tmp.exe
      2⤵
      • Executes dropped EXE
      PID:3380
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\BAD223C3-D1C2-FC1D-2B8E-95F08FA29924\\\AzSqeter'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\BAD223C3-D1C2-FC1D-2B8E-95F08FA29924").amstartv))
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ojzi02mg\ojzi02mg.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1824
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7020.tmp" "c:\Users\Admin\AppData\Local\Temp\ojzi02mg\CSC407F3BAA17CB45788874AC2882962F40.TMP"
            5⤵
              PID:696
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bu2gbkqo\bu2gbkqo.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1304
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7158.tmp" "c:\Users\Admin\AppData\Local\Temp\bu2gbkqo\CSC5C3CB008335C4D0FB32F274189F0826.TMP"
              5⤵
                PID:3324
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\274F.tmp.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3076
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:1216
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\6BA4.bi1"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3764
          • C:\Windows\system32\nslookup.exe
            nslookup myip.opendns.com resolver1.opendns.com
            3⤵
              PID:1596
          • C:\Windows\system32\cmd.exe
            cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\39D8.bi1"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3816
            • C:\Windows\system32\nslookup.exe
              nslookup myip.opendns.com resolver1.opendns.com
              3⤵
                PID:388
            • C:\Windows\system32\cmd.exe
              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6BA4.bi1"
              2⤵
                PID:2092
              • C:\Windows\system32\cmd.exe
                cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\39D8.bi1"
                2⤵
                  PID:1556
                • C:\Windows\system32\cmd.exe
                  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3900
                  • C:\Windows\system32\systeminfo.exe
                    systeminfo.exe
                    3⤵
                    • Gathers system information
                    PID:3956
                • C:\Windows\system32\makecab.exe
                  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\4630.bin"
                  2⤵
                    PID:3400
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                    2⤵
                      PID:292
                    • C:\Windows\system32\cmd.exe
                      cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                      2⤵
                        PID:3376
                        • C:\Windows\system32\net.exe
                          net view
                          3⤵
                          • Discovers systems in the same network
                          PID:3716
                      • C:\Windows\system32\cmd.exe
                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                        2⤵
                          PID:712
                        • C:\Windows\system32\cmd.exe
                          cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                          2⤵
                            PID:604
                            • C:\Windows\system32\nslookup.exe
                              nslookup 127.0.0.1
                              3⤵
                                PID:4012
                            • C:\Windows\system32\cmd.exe
                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                              2⤵
                                PID:3856
                              • C:\Windows\system32\cmd.exe
                                cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                                2⤵
                                  PID:3840
                                  • C:\Windows\system32\tasklist.exe
                                    tasklist.exe /SVC
                                    3⤵
                                    • Enumerates processes with tasklist
                                    PID:3844
                                • C:\Windows\system32\cmd.exe
                                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                                  2⤵
                                    PID:2124
                                  • C:\Windows\system32\cmd.exe
                                    cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                                    2⤵
                                      PID:292
                                      • C:\Windows\system32\driverquery.exe
                                        driverquery.exe
                                        3⤵
                                          PID:404
                                      • C:\Windows\system32\cmd.exe
                                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                                        2⤵
                                          PID:1368
                                        • C:\Windows\system32\cmd.exe
                                          cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                                          2⤵
                                            PID:1496
                                            • C:\Windows\system32\reg.exe
                                              reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
                                              3⤵
                                                PID:2512
                                            • C:\Windows\system32\cmd.exe
                                              cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                                              2⤵
                                                PID:1236
                                              • C:\Windows\system32\cmd.exe
                                                cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\4311.bin1 > C:\Users\Admin\AppData\Local\Temp\4311.bin & del C:\Users\Admin\AppData\Local\Temp\4311.bin1"
                                                2⤵
                                                  PID:1788
                                                • C:\Windows\system32\makecab.exe
                                                  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\4AF5.bin"
                                                  2⤵
                                                    PID:2688
                                                • C:\Windows\System32\RuntimeBroker.exe
                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                  1⤵
                                                    PID:3476
                                                  • C:\Program Files\Internet Explorer\iexplore.exe
                                                    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                    1⤵
                                                    • Modifies Internet Explorer settings
                                                    • Suspicious use of FindShellTrayWindow
                                                    • Suspicious use of SetWindowsHookEx
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:3452
                                                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3452 CREDAT:82945 /prefetch:2
                                                      2⤵
                                                      • Modifies Internet Explorer settings
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2696
                                                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3452 CREDAT:82950 /prefetch:2
                                                      2⤵
                                                      • Modifies Internet Explorer settings
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2740

                                                  Network

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • memory/2588-34-0x00000282FA190000-0x00000282FA22A000-memory.dmp

                                                    Filesize

                                                    616KB

                                                    Download

                                                  • memory/2588-14-0x00007FF969E80000-0x00007FF96A86C000-memory.dmp

                                                    Filesize

                                                    9.9MB

                                                    Download

                                                  • memory/2588-15-0x00000282F9D60000-0x00000282F9D61000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/2588-24-0x00000282F9E90000-0x00000282F9E91000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/2588-16-0x00000282F9F10000-0x00000282F9F11000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/2588-32-0x00000282F9EB0000-0x00000282F9EB1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3036-3-0x0000000000F00000-0x0000000000F16000-memory.dmp

                                                    Filesize

                                                    88KB

                                                    Download

                                                  • memory/3036-39-0x0000000005420000-0x00000000054BA000-memory.dmp

                                                    Filesize

                                                    616KB

                                                    Download

                                                  • memory/3036-36-0x0000000005420000-0x00000000054BA000-memory.dmp

                                                    Filesize

                                                    616KB

                                                    Download

                                                  • memory/3036-37-0x0000000005500000-0x000000000559A000-memory.dmp

                                                    Filesize

                                                    616KB

                                                    Download

                                                  • memory/3076-42-0x00000211CD490000-0x00000211CD52A000-memory.dmp

                                                    Filesize

                                                    616KB

                                                    Download

                                                  • memory/3380-7-0x0000000000D43000-0x0000000000D44000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/3380-8-0x00000000011E0000-0x00000000011E1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4016-0-0x0000000000DD3000-0x0000000000DD4000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download

                                                  • memory/4016-1-0x0000000001310000-0x0000000001311000-memory.dmp

                                                    Filesize

                                                    4KB

                                                    Download