gozi_ifsb | 3c88a1b460b983d2fbabc34c3c90b827b0deb17eff8cd2ad07d24210e6339537

Analysis

max time kernel
117s
max time network
85s
platform
windows7_x64
resource
win7v200217
submitted
03-04-2020 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

view_attach_c4h.js
Size

3.5MB
MD5

7122e78a761f320e7951d29867bbc0d5
SHA1

56a4383852b142cf03c4184d09120738479dabbc
SHA256

3c88a1b460b983d2fbabc34c3c90b827b0deb17eff8cd2ad07d24210e6339537
SHA512

355832eeee9ece97d5bb355dc561c29ade318487c75d56a69b70c2fb572ec6c2a495440e5ff9952e403b6a4745bf77714716aa9b2ee51a66e912b731c81d7921

Score

10^/10

evasion trojan banker gozi_ifsb ursnif spyware

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeExplorer.EXE

pid	Process
1304	powershell.exe
1304	powershell.exe
1280	Explorer.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid	Process
740	PING.EXE

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEmshta.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004b884d304a1b8f4fb2ef50325434fdfd00000000020000000000106600000001000020000000373b6713dd7c6222786c87ff44f73433a005012e0a1d9803c831c005c82a67f8000000000e80000000020000200000007ee8e307a2eb8856b951e8dc8ea906441c7bc406b428b86a868430fba1665efc900000001592a3c649797fa425ee2dd486d405f1f9632b6be5a8049e38b77c2b13b342e70757d6af2390ecfa91db97c3304f326578f4d29cce3188f29932fc6812c136c7746c8a464438b3d598cb6bccfbe90be735a4fa7a588800fa9c70680acf7ac7b7e313ec625c7d1752de6a02f971220bc10087640e8db0bdb25bd9f19d383b964df186a74850f1f447865e4b097970a7fb40000000028c16810b6dee85f17d70f7d550399fb34f5a8df8680c1a7f44094c1e95d99c94ea9d86d62faa43c3efeb9eca5973189dbe0066cc62bc1adb6735e1c21d1d94	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 304bb35a1c0ad601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "292726961"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{90DA2581-760F-11EA-966D-F260A2CC1D62} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004b884d304a1b8f4fb2ef50325434fdfd00000000020000000000106600000001000020000000ad39494a52183905adf091b833ea68f95b23b457e430553ee3582b811338ad35000000000e8000000002000020000000313c78a31c0005f1cfc3648d7161e759470caae74d6700023c8fe29617bd99e1200000006f48c22e8cb1e037cc92e579345d249e9bb2d80185518e929dbbdc3286c0a2fe4000000071380ca514d41ca566b4157405d78f2cbebba580b6c38694fb03098c777e9b7846ef74de64de913e6ff300b71b7981f7d37a6c17063d98a7d611fd80e98c5b7a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
740	PING.EXE

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid	Process
1920	regsvr32.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeExplorer.EXE

pid	Process
2028	iexplore.exe
2028	iexplore.exe
2028	iexplore.exe
1280	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	1304	powershell.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Explorer.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	Process
2028	iexplore.exe
2028	iexplore.exe
272	IEXPLORE.EXE
272	IEXPLORE.EXE
2028	iexplore.exe
2028	iexplore.exe
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
2028	iexplore.exe
2028	iexplore.exe
272	IEXPLORE.EXE
272	IEXPLORE.EXE

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid	Process
1304	powershell.exe
1280	Explorer.EXE
1280	Explorer.EXE
848	cmd.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

wscript.exeregsvr32.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	Process	procid_target
PID 1848 wrote to memory of 1900	1848	wscript.exe	24
PID 1848 wrote to memory of 1900	1848	wscript.exe	24
PID 1848 wrote to memory of 1900	1848	wscript.exe	24
PID 1848 wrote to memory of 1900	1848	wscript.exe	24
PID 1848 wrote to memory of 1900	1848	wscript.exe	24
PID 1900 wrote to memory of 1920	1900	regsvr32.exe	25
PID 1900 wrote to memory of 1920	1900	regsvr32.exe	25
PID 1900 wrote to memory of 1920	1900	regsvr32.exe	25
PID 1900 wrote to memory of 1920	1900	regsvr32.exe	25
PID 1900 wrote to memory of 1920	1900	regsvr32.exe	25
PID 1900 wrote to memory of 1920	1900	regsvr32.exe	25
PID 1900 wrote to memory of 1920	1900	regsvr32.exe	25
PID 2028 wrote to memory of 272	2028	iexplore.exe	29
PID 2028 wrote to memory of 272	2028	iexplore.exe	29
PID 2028 wrote to memory of 272	2028	iexplore.exe	29
PID 2028 wrote to memory of 272	2028	iexplore.exe	29
PID 2028 wrote to memory of 1616	2028	iexplore.exe	31
PID 2028 wrote to memory of 1616	2028	iexplore.exe	31
PID 2028 wrote to memory of 1616	2028	iexplore.exe	31
PID 2028 wrote to memory of 1616	2028	iexplore.exe	31
PID 1832 wrote to memory of 1304	1832	mshta.exe	34
PID 1832 wrote to memory of 1304	1832	mshta.exe	34
PID 1832 wrote to memory of 1304	1832	mshta.exe	34
PID 1304 wrote to memory of 1316	1304	powershell.exe	36
PID 1304 wrote to memory of 1316	1304	powershell.exe	36
PID 1304 wrote to memory of 1316	1304	powershell.exe	36
PID 1316 wrote to memory of 968	1316	csc.exe	37
PID 1316 wrote to memory of 968	1316	csc.exe	37
PID 1316 wrote to memory of 968	1316	csc.exe	37
PID 1304 wrote to memory of 1976	1304	powershell.exe	38
PID 1304 wrote to memory of 1976	1304	powershell.exe	38
PID 1304 wrote to memory of 1976	1304	powershell.exe	38
PID 1976 wrote to memory of 576	1976	csc.exe	39
PID 1976 wrote to memory of 576	1976	csc.exe	39
PID 1976 wrote to memory of 576	1976	csc.exe	39
PID 1304 wrote to memory of 1280	1304	powershell.exe	20
PID 1304 wrote to memory of 1280	1304	powershell.exe	20
PID 1304 wrote to memory of 1280	1304	powershell.exe	20
PID 1280 wrote to memory of 2028	1280	Explorer.EXE	27
PID 1280 wrote to memory of 2028	1280	Explorer.EXE	27
PID 1280 wrote to memory of 848	1280	Explorer.EXE	40
PID 1280 wrote to memory of 848	1280	Explorer.EXE	40
PID 1280 wrote to memory of 848	1280	Explorer.EXE	40
PID 1280 wrote to memory of 848	1280	Explorer.EXE	40
PID 1280 wrote to memory of 2028	1280	Explorer.EXE	27
PID 1280 wrote to memory of 848	1280	Explorer.EXE	40
PID 1280 wrote to memory of 848	1280	Explorer.EXE	40
PID 848 wrote to memory of 740	848	cmd.exe	42
PID 1280 wrote to memory of 1604	1280	Explorer.EXE	43
PID 1280 wrote to memory of 1604	1280	Explorer.EXE	43
PID 1280 wrote to memory of 1604	1280	Explorer.EXE	43
PID 1280 wrote to memory of 1484	1280	Explorer.EXE	44
PID 1280 wrote to memory of 1484	1280	Explorer.EXE	44
PID 1280 wrote to memory of 1484	1280	Explorer.EXE	44
PID 1280 wrote to memory of 856	1280	Explorer.EXE	49
PID 1280 wrote to memory of 856	1280	Explorer.EXE	49
PID 1280 wrote to memory of 856	1280	Explorer.EXE	49
PID 1280 wrote to memory of 1312	1280	Explorer.EXE	50
PID 1280 wrote to memory of 1312	1280	Explorer.EXE	50
PID 1280 wrote to memory of 1312	1280	Explorer.EXE	50

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	Process	procid_target
PID 1304 set thread context of 1280	1304	powershell.exe	20
PID 1280 set thread context of 2028	1280	Explorer.EXE	27
PID 1280 set thread context of 848	1280	Explorer.EXE	40
PID 848 set thread context of 740	848	cmd.exe	42

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1280
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\view_attach_c4h.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\UlrsxVY.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\regsvr32.exe
      -s C:\Users\Admin\AppData\Local\Temp\\UlrsxVY.txt
      4⤵
      Loads dropped DLL
      PID:1920
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\CE8C2912-D52D-3025-CFE2-D96473361DD8\\Dsprmapi'));if(!window.flag)close()</script>"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\CE8C2912-D52D-3025-CFE2-D96473361DD8").Auxiobby))
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: MapViewOfSection
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    - Suspicious use of SetThreadContext
    PID:1304
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pkut1yj4\pkut1yj4.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FA8.tmp" "c:\Users\Admin\AppData\Local\Temp\pkut1yj4\CSCA02A7B3417F947E486E5C59A5996C63.TMP"
        5⤵
        
        PID:968
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ay20ezz4\ay20ezz4.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA18B.tmp" "c:\Users\Admin\AppData\Local\Temp\ay20ezz4\CSC18833C17E386400CBC85FB60DFE3DC78.TMP"
        5⤵
        
        PID:576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\UlrsxVY.txt"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetThreadContext
  PID:848
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Runs ping.exe
    PID:740
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\FE70.bi1"
  2⤵
  PID:1604
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1764
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\FCB0.bi1"
  2⤵
  PID:1484
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1468
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\FE70.bi1"
  2⤵
  PID:856
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\FCB0.bi1"
  2⤵
  PID:1312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  PID:272
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:406535 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FCB0.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCB0.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE70.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE70.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9FA8.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA18B.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\UlrsxVY.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay20ezz4\ay20ezz4.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkut1yj4\pkut1yj4.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\U8VX0NRB.txt

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ay20ezz4\CSC18833C17E386400CBC85FB60DFE3DC78.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ay20ezz4\ay20ezz4.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ay20ezz4\ay20ezz4.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pkut1yj4\CSCA02A7B3417F947E486E5C59A5996C63.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pkut1yj4\pkut1yj4.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pkut1yj4\pkut1yj4.cmdline

Download Submit
\Users\Admin\AppData\Local\Temp\UlrsxVY.txt

Download Submit
memory/740-19-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/848-17-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/848-20-0x0000000001C70000-0x0000000001D21000-memory.dmp

Filesize
708KB

Download
memory/1280-13-0x0000000003BC0000-0x0000000003BC1000-memory.dmp

Filesize
4KB

Download
memory/1280-16-0x0000000004EA0000-0x0000000004F51000-memory.dmp

Filesize
708KB

Download
memory/1280-18-0x0000000004EA0000-0x0000000004F51000-memory.dmp

Filesize
708KB

Download
memory/1304-14-0x000000001B880000-0x000000001B931000-memory.dmp

Filesize
708KB

Download
memory/1848-0-0x0000000003030000-0x0000000003034000-memory.dmp

Filesize
16KB

Download
memory/2028-15-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download