gozi_ifsb | 4f9be4851740b6d20406aca8c7f65916e4ec041f839d24e302165fe12b25b973

General

Target

fattura.exe
Size

269KB
MD5

9314c16d93a3ea519de0e30d89033b15
SHA1

c1ee1ae4a767b7f0c86e709624c6efdd38ea5198
SHA256

4f9be4851740b6d20406aca8c7f65916e4ec041f839d24e302165fe12b25b973
SHA512

f1a956acb4c570275b1447b6d576b209664396a4b5000719554dfc5f322046ceb35c7e8649f1dbe4f64610917c633975c1577db33d40bd92c12b0d9a0c333dd2

Score

10^/10

evasion trojan banker gozi_ifsb ursnif spyware

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

fattura.execontrol.exe

pid process

2024 fattura.exe
1868 control.exe
1868 control.exe

pid	process
2024	fattura.exe
1868	control.exe
1868	control.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

fattura.execontrol.exe

description	pid	process	target process
PID 2024 set thread context of 1868	2024	fattura.exe	control.exe
PID 1868 set thread context of 1256	1868	control.exe	Explorer.EXE
PID 1868 set thread context of 1040	1868	control.exe	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

pid	process
1256	Explorer.EXE

Makes http(s) request 4 IoCs

Contacts server via http/https, possibly for C2 communication.

Processes:

description	flow	ioc
HTTP URL	10	http://securezza.at/favicon.ico
HTTP URL	13	http://securezza.at/images/d0nia6sfF3/iCpOghatR2CSillIR/8tIFbk8EYVfR/9VR4Dokzn86/RF76xCKX4jH6_2/FgigCqnEVr7p5SbkJe33V/AVgz4Vbc4cmue3r3/sTw0MX1QW5H1GXH/myMj0JJBftvWjrKzn0/7wlxwSYFPP1_2/BYZrRC5.avi
HTTP URL	14	http://securezza.at/images/a4A_2FvLSrr233EvO72xXQW/1snsb4vwPg/ArpyZ6ODdhjoK8HYt/KlHs1g9uJUt3/Oq3dUQOU586/924KIRrj_2B2V5/yOgrC_2FBTp0i3b5sAYQp/tUhHq21D4MOIhc60/esY_2F5_2BUi6Rl/Zh_2FrPQ0fjQgD10u_/2Bsp5SVqa/jrGyVqQZcnSQcDQ6Qo/Y.avi
HTTP URL	11	http://securezza.at/images/g5bCfiTmN4eL0C/nuA_2FM_2BtP5HMJJVBTy/qWjGqVy_2F7Jxjli/pq8GCCBuwoqxibl/QVXyLQyy25Oz8m13qA/Fedi2HD4x/0_2BWCUORVf6KlKn6QtN/w5sIiCiQS8emiBRpEl_/2FbQa5iLb6seK_2BRJFYzX/Mpocx7UM.avi

Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exefattura.execontrol.exe

description	pid	process	target process
PID 1316 wrote to memory of 1668	1316	iexplore.exe	IEXPLORE.EXE
PID 1316 wrote to memory of 1668	1316	iexplore.exe	IEXPLORE.EXE
PID 1316 wrote to memory of 1668	1316	iexplore.exe	IEXPLORE.EXE
PID 1316 wrote to memory of 1668	1316	iexplore.exe	IEXPLORE.EXE
PID 1316 wrote to memory of 364	1316	iexplore.exe	IEXPLORE.EXE
PID 1316 wrote to memory of 364	1316	iexplore.exe	IEXPLORE.EXE
PID 1316 wrote to memory of 364	1316	iexplore.exe	IEXPLORE.EXE
PID 1316 wrote to memory of 364	1316	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1040	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1040	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1040	1720	iexplore.exe	IEXPLORE.EXE
PID 1720 wrote to memory of 1040	1720	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 1540	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 1540	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 1540	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 1540	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 1664	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 1664	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 1664	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 1664	1456	iexplore.exe	IEXPLORE.EXE
PID 2024 wrote to memory of 1868	2024	fattura.exe	control.exe
PID 2024 wrote to memory of 1868	2024	fattura.exe	control.exe
PID 2024 wrote to memory of 1868	2024	fattura.exe	control.exe
PID 2024 wrote to memory of 1868	2024	fattura.exe	control.exe
PID 2024 wrote to memory of 1868	2024	fattura.exe	control.exe
PID 2024 wrote to memory of 1868	2024	fattura.exe	control.exe
PID 2024 wrote to memory of 1868	2024	fattura.exe	control.exe
PID 1868 wrote to memory of 1256	1868	control.exe	Explorer.EXE
PID 1868 wrote to memory of 1256	1868	control.exe	Explorer.EXE
PID 1868 wrote to memory of 1256	1868	control.exe	Explorer.EXE
PID 1868 wrote to memory of 1040	1868	control.exe	rundll32.exe
PID 1868 wrote to memory of 1040	1868	control.exe	rundll32.exe
PID 1868 wrote to memory of 1040	1868	control.exe	rundll32.exe
PID 1868 wrote to memory of 1040	1868	control.exe	rundll32.exe
PID 1868 wrote to memory of 1040	1868	control.exe	rundll32.exe
PID 1868 wrote to memory of 1040	1868	control.exe	rundll32.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

pid	process
1316	iexplore.exe
1316	iexplore.exe
1668	IEXPLORE.EXE
1668	IEXPLORE.EXE
1720	iexplore.exe
1720	iexplore.exe
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
1456	iexplore.exe
1456	iexplore.exe
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
1456	iexplore.exe
1456	iexplore.exe
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1456	iexplore.exe
1456	iexplore.exe
1540	IEXPLORE.EXE
1540	IEXPLORE.EXE
1256	Explorer.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeExplorer.EXE

pid process

1316 iexplore.exe
1720 iexplore.exe
1456 iexplore.exe
1456 iexplore.exe
1456 iexplore.exe
1256 Explorer.EXE

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXEiexplore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 84 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{400218F1-867E-11EA-8783-EA82E0E1E76E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{30C70CB1-867E-11EA-8783-EA82E0E1E76E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11A59131-867E-11EA-8783-EA82E0E1E76E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dcc209169d6de14b878908571718e5580000000002000000000010660000000100002000000020a288dc67921baefc4a6f4dba8865731a20600cce76a4550eb77102115b5009000000000e800000000200002000000074b73ef51aed1375c5b30ad749a5313a7fa08de9a625ce222de2496d5bb832cd90000000920be7f08edcad70ec19556a9a2ecd697f182fada0c791dad81a0bca9920b10f0f738db9f7b2f25418a6fab0cc3baeaa1a40183d248359491bbdec0f93040e15bb7e9716bafce0c41b8079b5bb3b7e35c2c2c2933c2c0e9e670e1dac26a7d566da021621b6b3a891df9ee86b4b666323c9058eaa2b090cf5214c25ffec5a2b1e7d23f384ee924a4ae569aef0bc6f593a40000000c42fc8575090ad741a682271c753bab56123742287b38e20f455acbf87a384c5a7a98a27fe56a146cf160d478268b30353954417be6d8bd945a37d0e8964c19c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dcc209169d6de14b878908571718e558000000000200000000001066000000010000200000000b9d5ff3ff09be17cf5fbc97b92d8ade2208487c10d279210199478a7a33036c000000000e80000000020000200000002964b5e928f2daa552f615638ac4502fc342493d2850b01174f5221ca662853320000000d55029c12de1fc023ea21de8ce2d37a4f90b9900971f34bd8750e00b7bb3422a40000000d53f6218a11a7e4eba018c83c8b2dc2c9484be9d4a3d64667b2daab900532e20a8fa5c82e8c53a1f74a62592979b7df8f7307b5b159aa7f7631307d1aab8b8ff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:1256
- C:\Users\Admin\AppData\Local\Temp\fattura.exe
  "C:\Users\Admin\AppData\Local\Temp\fattura.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\control.exe
    C:\Windows\system32\control.exe /?
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
      4⤵
      PID:1040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:1316
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  PID:1668
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:537610 /prefetch:2
  2⤵
  PID:364

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:1720
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  PID:1040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:1456
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  PID:1540
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:537610 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\qwq3m66\imagestore.dat

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9DC9ER1M\favicon[1].ico

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ECZ84JHN.txt

Download Submit
memory/1040-11-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1256-9-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1540-6-0x00000000062E0000-0x0000000006303000-memory.dmp

Filesize
140KB

Download
memory/1668-2-0x0000000005B20000-0x0000000005B43000-memory.dmp

Filesize
140KB

Download
memory/1868-7-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1868-10-0x0000000001BA0000-0x0000000001C35000-memory.dmp

Filesize
596KB

Download
memory/1868-12-0x00000000027B0000-0x0000000002845000-memory.dmp

Filesize
596KB

Download
memory/2024-8-0x00000000074B0000-0x0000000007545000-memory.dmp

Filesize
596KB

Download
memory/2024-0-0x00000000048CB000-0x00000000048CC000-memory.dmp

Filesize
4KB

Download
memory/2024-1-0x0000000006090000-0x00000000060A1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads