gozi_ifsb | 77ce825e2c50017520147fce8c85173fd63077ef97a07097b53ec61df9048b83

General

Target

my_attach_p2v.js
Size

1.3MB
MD5

3bfdc69fe78e172ffe8c054d36596163
SHA1

ecddf99225e7fb6940270ef115b5c275f48e5f0b
SHA256

77ce825e2c50017520147fce8c85173fd63077ef97a07097b53ec61df9048b83
SHA512

456162fff6f4c83df925fd2ead41c24001d1ab2982f7a8bc740b7d051e1697899fe24959ebb23569a40fead8e905becdd7786fad28a651cc73baa73f885864ce

Score

10^/10

spyware banker trojan gozi_ifsb ursnif

Malware Config

Signatures

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE

pid	process
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE

Checks whether UAC is enabled 3 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEiexplore.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEmshta.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "297865589"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab3123880000000002000000000010660000000100002000000093619a2d10e82345a6b8739582561397959bb67cab78e96590730329d1f13871000000000e8000000002000020000000bdfb4817ba87b43cbb4b430ec63e8cad6b2ef7267d3feec66ed452932277b63920000000b491596dcc8d24d2e7e54e525e30306acbd93d8dbcb135bf877f69fb471bc5e04000000049e079b3b6945ba2b9211c4b3899bd5dd18b03995eb63120791b1d4469968747de0f138a607370f3b1a73327379da5d6c1604b541113da09ec7ddebf81bc92a7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DFD5BB01-A4CB-11EA-AA57-F678E1C9FB3B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10876da8d838d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007cf8d5bd09b0364592b95b96ab312388000000000200000000001066000000010000200000005ba24012ec7812866e98e8d2e2b8104c878e556c070ac8169ed5a816aaf1bc12000000000e800000000200002000000019d3c2994926854e179c86dd26921c03a9d1e03bf0d4d507bbb4909ca75749eb9000000092f56ef154ec948291ac16d26c77e644ca15662a3449025bfb1d5e51e8888bd5bcbdf3a07134cdc32a9bc556168ca3eae5114f93894880cad87be8fc09fbd07ee7375e4662e33e0b3fc244d5dc83935ca8705993a78663488829ba34ae1c62ee9b89ad2e7b7061efcfc3b759fef730c68baf325bd0ba4a8bc9d7f824f0f2b880b3438fd5d67b8692a3c94498ef13be41400000005f0fc78bcd520afd6916ae97ac404663337bf37ebae1ca063da5b6af29caf277721be8ebf68dae9461d486cd8ce04cf3c9c0b1e978f89324e4c53c2d3c23b3af	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
268	iexplore.exe
268	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
268	iexplore.exe
268	iexplore.exe
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
268	iexplore.exe
268	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 364 powershell.exe
Token: SeShutdownPrivilege 1312 Explorer.EXE
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

364 powershell.exe
1312 Explorer.EXE
1312 Explorer.EXE
1104 cmd.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1312 Explorer.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif
Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exeExplorer.EXE

pid process

268 iexplore.exe
268 iexplore.exe
268 iexplore.exe
1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE
1312 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	364	powershell.exe
Token: SeShutdownPrivilege	1312	Explorer.EXE

pid	process
364	powershell.exe
1312	Explorer.EXE
1312	Explorer.EXE
1104	cmd.exe

pid	process
1312	Explorer.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 364 set thread context of 1312	364	powershell.exe	Explorer.EXE
PID 1312 set thread context of 268	1312	Explorer.EXE	iexplore.exe
PID 1312 set thread context of 1104	1312	Explorer.EXE	cmd.exe
PID 1104 set thread context of 568	1104	cmd.exe	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

568 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

568 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeExplorer.EXE

pid process

364 powershell.exe
364 powershell.exe
1312 Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1016 regsvr32.exe

pid	process
568	PING.EXE

pid	process
568	PING.EXE

pid	process
364	powershell.exe
364	powershell.exe
1312	Explorer.EXE

pid	process
1016	regsvr32.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

wscript.exeregsvr32.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1304 wrote to memory of 1508	1304	wscript.exe	regsvr32.exe
PID 1304 wrote to memory of 1508	1304	wscript.exe	regsvr32.exe
PID 1304 wrote to memory of 1508	1304	wscript.exe	regsvr32.exe
PID 1304 wrote to memory of 1508	1304	wscript.exe	regsvr32.exe
PID 1304 wrote to memory of 1508	1304	wscript.exe	regsvr32.exe
PID 1508 wrote to memory of 1016	1508	regsvr32.exe	regsvr32.exe
PID 1508 wrote to memory of 1016	1508	regsvr32.exe	regsvr32.exe
PID 1508 wrote to memory of 1016	1508	regsvr32.exe	regsvr32.exe
PID 1508 wrote to memory of 1016	1508	regsvr32.exe	regsvr32.exe
PID 1508 wrote to memory of 1016	1508	regsvr32.exe	regsvr32.exe
PID 1508 wrote to memory of 1016	1508	regsvr32.exe	regsvr32.exe
PID 1508 wrote to memory of 1016	1508	regsvr32.exe	regsvr32.exe
PID 268 wrote to memory of 1620	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1620	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1620	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1620	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1932	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1932	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1932	268	iexplore.exe	IEXPLORE.EXE
PID 268 wrote to memory of 1932	268	iexplore.exe	IEXPLORE.EXE
PID 1252 wrote to memory of 364	1252	mshta.exe	powershell.exe
PID 1252 wrote to memory of 364	1252	mshta.exe	powershell.exe
PID 1252 wrote to memory of 364	1252	mshta.exe	powershell.exe
PID 364 wrote to memory of 816	364	powershell.exe	csc.exe
PID 364 wrote to memory of 816	364	powershell.exe	csc.exe
PID 364 wrote to memory of 816	364	powershell.exe	csc.exe
PID 816 wrote to memory of 1984	816	csc.exe	cvtres.exe
PID 816 wrote to memory of 1984	816	csc.exe	cvtres.exe
PID 816 wrote to memory of 1984	816	csc.exe	cvtres.exe
PID 364 wrote to memory of 1968	364	powershell.exe	csc.exe
PID 364 wrote to memory of 1968	364	powershell.exe	csc.exe
PID 364 wrote to memory of 1968	364	powershell.exe	csc.exe
PID 1968 wrote to memory of 1908	1968	csc.exe	cvtres.exe
PID 1968 wrote to memory of 1908	1968	csc.exe	cvtres.exe
PID 1968 wrote to memory of 1908	1968	csc.exe	cvtres.exe
PID 364 wrote to memory of 1312	364	powershell.exe	Explorer.EXE
PID 364 wrote to memory of 1312	364	powershell.exe	Explorer.EXE
PID 364 wrote to memory of 1312	364	powershell.exe	Explorer.EXE
PID 1312 wrote to memory of 1104	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1104	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1104	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1104	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 268	1312	Explorer.EXE	iexplore.exe
PID 1312 wrote to memory of 268	1312	Explorer.EXE	iexplore.exe
PID 1312 wrote to memory of 268	1312	Explorer.EXE	iexplore.exe
PID 1312 wrote to memory of 1104	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1104	1312	Explorer.EXE	cmd.exe
PID 1104 wrote to memory of 568	1104	cmd.exe	PING.EXE
PID 1312 wrote to memory of 620	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 620	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 620	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1660	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1660	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 1660	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 2028	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 2028	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 2028	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 840	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 840	1312	Explorer.EXE	cmd.exe
PID 1312 wrote to memory of 840	1312	Explorer.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\my_attach_p2v.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\tmDvhuQzZOS.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\SysWOW64\regsvr32.exe
      -s C:\Users\Admin\AppData\Local\Temp\\tmDvhuQzZOS.txt
      4⤵
      Loads dropped DLL
      PID:1016
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\136B3805-56F5-BDAC-F8F7-EA41AC1BBE05\\\Efsltprf'));if(!window.flag)close()</script>"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\136B3805-56F5-BDAC-F8F7-EA41AC1BBE05").dmrctcls))
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4k5ay0zd\4k5ay0zd.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BB2.tmp" "c:\Users\Admin\AppData\Local\Temp\4k5ay0zd\CSCB820DF013E61497EA03D15416414D.TMP"
        5⤵
        
        PID:1984
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nl0swdpe\nl0swdpe.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C4E.tmp" "c:\Users\Admin\AppData\Local\Temp\nl0swdpe\CSCF9D38BA2D54A49A1BA45CCD6A63AC56D.TMP"
        5⤵
        
        PID:1908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\tmDvhuQzZOS.txt"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Runs ping.exe
    PID:568
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\F1FC.bi1"
  2⤵
  PID:620
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\EB70.bi1"
  2⤵
  PID:1660
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1820
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\EB70.bi1"
  2⤵
  PID:2028
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\F1FC.bi1"
  2⤵
  PID:840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:268
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
  2⤵
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1620
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:406535 /prefetch:2
  2⤵
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4k5ay0zd\4k5ay0zd.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB70.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB70.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1FC.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1FC.bi1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9BB2.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C4E.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\nl0swdpe\nl0swdpe.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmDvhuQzZOS.txt

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R6OS9EZN.txt

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4k5ay0zd\4k5ay0zd.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4k5ay0zd\4k5ay0zd.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4k5ay0zd\CSCB820DF013E61497EA03D15416414D.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nl0swdpe\CSCF9D38BA2D54A49A1BA45CCD6A63AC56D.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nl0swdpe\nl0swdpe.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nl0swdpe\nl0swdpe.cmdline

Download Submit
\Users\Admin\AppData\Local\Temp\tmDvhuQzZOS.txt

Download Submit
memory/268-15-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/364-14-0x000000001C9C0000-0x000000001CA71000-memory.dmp

Filesize
708KB

Download
memory/568-19-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1104-20-0x0000000002540000-0x00000000025F1000-memory.dmp

Filesize
708KB

Download
memory/1104-17-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1304-0-0x00000000029E0000-0x00000000029E4000-memory.dmp

Filesize
16KB

Download
memory/1312-18-0x00000000065A0000-0x0000000006651000-memory.dmp

Filesize
708KB

Download
memory/1312-16-0x00000000065A0000-0x0000000006651000-memory.dmp

Filesize
708KB

Download
memory/1312-13-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads