Overview

overview

10

Static

static

7c3ae2e8e1...f9.exe

windows7_x64

10

7c3ae2e8e1...f9.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 21:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe

  • Size

    327KB

  • MD5

    f3cfeb4d204656cdc50ff1e180dba05d

  • SHA1

    1b18dff965566f28027c933878403d8e9f0cef75

  • SHA256

    7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9

  • SHA512

    89664de6d8d3b45d4bc9237fbbba442b2d7787faaa97a6d91b55e4b2230919d4e4127d6bf439eb2417df27f4a56471a2947d5d7e3da1e60d27f182ca2873d33a

Score
10/10
gozi_ifsbursnifbankerpersistencespywaretrojan

Malware Config

Extracted

Family

ursnif

Attributes
  • dga_base_url

  • dga_crc

    0

  • dga_season

    0

  • dga_tlds

  • dns_servers

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe
      "C:\Users\Admin\AppData\Local\Temp\7c3ae2e8e1285e7f5ee63a895f72c0da9eb4e9f14244cbbb1891b182fa8416f9.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:756
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\C5EE\1F0.bat" "C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\AppData\Local\Temp\7C3AE2~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C ""C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\AppData\Local\Temp\7C3AE2~1.EXE""
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe
            "C:\Users\Admin\AppData\Roaming\drprssec\chtbider.exe" "C:\Users\Admin\AppData\Local\Temp\7C3AE2~1.EXE"
            5⤵
            • Executes dropped EXE
            • Deletes itself
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1888
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:788
    • C:\Windows\system32\cmd.exe
      cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\F8D.bi1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Windows\system32\nslookup.exe
        nslookup myip.opendns.com resolver1.opendns.com
        3⤵
          PID:1712
      • C:\Windows\system32\cmd.exe
        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\F8D.bi1"
        2⤵
          PID:1984

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/788-10-0x0000000000290000-0x00000000002C5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/788-11-0x0000000001BA0000-0x0000000001C2F000-memory.dmp

        Filesize

        572KB

        Download

      • memory/1776-12-0x000007FEF7E30000-0x000007FEF80AA000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/1888-8-0x0000000000480000-0x000000000050F000-memory.dmp

        Filesize

        572KB

        Download