Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-11-2020 11:49
General
-
Target
d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe
-
Size
365KB
-
MD5
7012fcbeda3bebbceef18eba8e2a78db
-
SHA1
64bf265931d406c6c1632c5a6a16cbf335b1202e
-
SHA256
d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba
-
SHA512
9761ab641cc625e804922522c6b89d95f1dee7325f634d39f6f8eb71cd45af8b75f24152759ee59977cf026fa696d85d77161cd3db246915b2240e31c1f69a6b
Score
10/10
Malware Config
Extracted
Family
ursnif
Attributes
- dga_base_url
-
dga_crc
0
-
dga_season
0
- dga_tlds
- dns_servers
Signatures
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe"C:\Users\Admin\AppData\Local\Temp\d0136345e5d9b60ead6b8eabdd9887f43f96a27bfc2c1812737da9858e32d6ba.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1DDE\EEF.bat" "C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\D01363~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\D01363~1.EXE""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe"C:\Users\Admin\AppData\Roaming\Devidisc\bcryider.exe" "C:\Users\Admin\AppData\Local\Temp\D01363~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
-
-
-
-
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B934.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
-
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B934.bi1"2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
2.5MB