Overview

overview

10

Static

static

8

02d165251f...74.exe

windows7_x64

10

02d165251f...74.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    10/11/2020, 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe

  • Size

    273KB

  • MD5

    7f1d3c53b9ec4e4a0de133e294c59503

  • SHA1

    0a5cf542342a579a2da13fe81f2a33e8beb2dd53

  • SHA256

    02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74

  • SHA512

    38693beb421aa4b18de14edc82a360e437e3269003ac94322f2cd34ce9a6c8cd4ee4d5d3fec785f36e752b7e6bd8f2a62a95988282240181d24f0f3341897486

Score
10/10
gozi_ifsbursnifbankerpersistencespywaretrojanupx

Malware Config

Extracted

Family

ursnif

Attributes
  • dga_base_url

  • dga_crc

    0

  • dga_season

    0

  • dga_tlds

  • dns_servers

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe
      "C:\Users\Admin\AppData\Local\Temp\02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2D9E\10.bat" "C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe" "C:\Users\Admin\AppData\Local\Temp\02D165~1.EXE""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3228
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C ""C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe" "C:\Users\Admin\AppData\Local\Temp\02D165~1.EXE""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:64
          • C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe
            "C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe" "C:\Users\Admin\AppData\Local\Temp\02D165~1.EXE"
            5⤵
            • Executes dropped EXE
            • Deletes itself
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:988
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
      PID:3480

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/856-7-0x00000000021C0000-0x0000000002256000-memory.dmp

      Filesize

      600KB

      Download

    • memory/988-9-0x0000024D2A6E0000-0x0000024D2A776000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2868-10-0x0000000005480000-0x0000000005516000-memory.dmp

      Filesize

      600KB

      Download