gozi_ifsb | 00bd4de4ad3ccb503cb3e46030055454905d2a4033c03a462fd755af96edab27

General

Target

SecuriteInfo.com.Win32.Kryptik.HEME.26904.exe
Size

346KB
MD5

f577fbb7280758f98ad523a7b580d818
SHA1

0c3262702dfec0ab6c305ab5126ee72b44eece07
SHA256

00bd4de4ad3ccb503cb3e46030055454905d2a4033c03a462fd755af96edab27
SHA512

d7d49d21710cf43050b9caa339462b63b20fb6419b129e37ad1e5b6c1675ab2bb33c70957dff612df9b47506d5c7b0f6f387f37c8377dfe294a713c7bff7a5ad

Score

10^/10

banker trojan gozi_ifsb ursnif spyware

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeExplorer.EXE

pid process

656 powershell.exe
656 powershell.exe
1276 Explorer.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

1828 PING.EXE

pid	process
656	powershell.exe
656	powershell.exe
1276	Explorer.EXE

pid	process
1828	PING.EXE

Modifies Internet Explorer settings 1 TTPs 85 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEmshta.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{951F0E71-B837-11EA-A718-5E3E1FB29FB8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b0829a874ca164698fa08cb019bbab8000000000200000000001066000000010000200000001e1c103c3bdced416c81f2c6448010433238f0c11561cebbeb502492d9ddd986000000000e80000000020000200000003898cec33c06b401cd4f2b7d1b5030d60645d5e3ea624c1ac5ecfe043b031cc3200000003085c3a21a2a9f785adecf8b551237317fe3e9ec8cb4db0ed11c4dcd1d5555104000000019af7a5461f3a5860e3ce6284826f9e47c134a212650e0eddf559334dcfb516c8795bfdf9e56d77bf499557a731d15c7c9a0e7bd68ef0d5a9c7cedadfc7a830f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b0829a874ca164698fa08cb019bbab8000000000200000000001066000000010000200000008b85c738d7fe233fcb96a41ae6d04ead04dd9a2c56ed2e64301930e69787e38c000000000e800000000200002000000059f5412fba413d6cdf21a2bad22e410817aa6c0d75a2f0d67ba759bd47e95a08900000001baafaad7db2e75bf18b8c36bffec2ac5d1a7b0db98badb37772fe2b7a1800bdef88fb0bd952c2a33fd06135b90b509e12c21eb5e189972db266b5da32cda1d094a785773f7c34b7680065cc33a421ffe56738ac31811f6d00e538b59b3ab155144e6ea965636f716b3513e3e144e1751e8942d0d8964b76e4dbbfb6fc76c861d288a6c73caf8f85eb5d07c8be1f861f40000000876afe1ace132d39dfee1ce8404992e60f6fabf1e3e62daa55c5fef2cc7cb7c3f5231705b078a3a3cb74c3a85bfb2f3543e4754e4e7072bab65d0514e6b771e2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BD373771-B837-11EA-A718-5E3E1FB29FB8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEExplorer.EXE

pid	process
108	iexplore.exe
108	iexplore.exe
1516	IEXPLORE.EXE
1516	IEXPLORE.EXE
1900	iexplore.exe
1900	iexplore.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1508	iexplore.exe
1508	iexplore.exe
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
1508	iexplore.exe
1508	iexplore.exe
540	IEXPLORE.EXE
540	IEXPLORE.EXE
1508	iexplore.exe
1508	iexplore.exe
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
1276	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 656 powershell.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
1276 Explorer.EXE
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1592 cmd.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1828 PING.EXE

description	pid	process
Token: SeDebugPrivilege	656	powershell.exe

pid	process
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1592	cmd.exe

pid	process
1828	PING.EXE

Checks whether UAC is enabled 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 656 set thread context of 1276	656	powershell.exe	Explorer.EXE
PID 1276 set thread context of 1592	1276	Explorer.EXE	cmd.exe
PID 1592 set thread context of 1828	1592	cmd.exe	PING.EXE

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Ursnif, Dreambot
Ursnif is a variant of the Gozi IFSB with more capabilities.
banker trojan ursnif

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exemshta.exepowershell.execsc.execsc.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 108 wrote to memory of 1516	108	iexplore.exe	IEXPLORE.EXE
PID 108 wrote to memory of 1516	108	iexplore.exe	IEXPLORE.EXE
PID 108 wrote to memory of 1516	108	iexplore.exe	IEXPLORE.EXE
PID 108 wrote to memory of 1516	108	iexplore.exe	IEXPLORE.EXE
PID 108 wrote to memory of 1568	108	iexplore.exe	IEXPLORE.EXE
PID 108 wrote to memory of 1568	108	iexplore.exe	IEXPLORE.EXE
PID 108 wrote to memory of 1568	108	iexplore.exe	IEXPLORE.EXE
PID 108 wrote to memory of 1568	108	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 1944	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 1944	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 1944	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 1944	1900	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1388	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1388	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1388	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 1388	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 540	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 540	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 540	1508	iexplore.exe	IEXPLORE.EXE
PID 1508 wrote to memory of 540	1508	iexplore.exe	IEXPLORE.EXE
PID 1320 wrote to memory of 656	1320	mshta.exe	powershell.exe
PID 1320 wrote to memory of 656	1320	mshta.exe	powershell.exe
PID 1320 wrote to memory of 656	1320	mshta.exe	powershell.exe
PID 656 wrote to memory of 1476	656	powershell.exe	csc.exe
PID 656 wrote to memory of 1476	656	powershell.exe	csc.exe
PID 656 wrote to memory of 1476	656	powershell.exe	csc.exe
PID 1476 wrote to memory of 1080	1476	csc.exe	cvtres.exe
PID 1476 wrote to memory of 1080	1476	csc.exe	cvtres.exe
PID 1476 wrote to memory of 1080	1476	csc.exe	cvtres.exe
PID 656 wrote to memory of 1928	656	powershell.exe	csc.exe
PID 656 wrote to memory of 1928	656	powershell.exe	csc.exe
PID 656 wrote to memory of 1928	656	powershell.exe	csc.exe
PID 1928 wrote to memory of 2000	1928	csc.exe	cvtres.exe
PID 1928 wrote to memory of 2000	1928	csc.exe	cvtres.exe
PID 1928 wrote to memory of 2000	1928	csc.exe	cvtres.exe
PID 656 wrote to memory of 1276	656	powershell.exe	Explorer.EXE
PID 656 wrote to memory of 1276	656	powershell.exe	Explorer.EXE
PID 656 wrote to memory of 1276	656	powershell.exe	Explorer.EXE
PID 1276 wrote to memory of 1592	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1592	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1592	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1592	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1592	1276	Explorer.EXE	cmd.exe
PID 1276 wrote to memory of 1592	1276	Explorer.EXE	cmd.exe
PID 1592 wrote to memory of 1828	1592	cmd.exe	PING.EXE
PID 1592 wrote to memory of 1828	1592	cmd.exe	PING.EXE
PID 1592 wrote to memory of 1828	1592	cmd.exe	PING.EXE
PID 1592 wrote to memory of 1828	1592	cmd.exe	PING.EXE
PID 1592 wrote to memory of 1828	1592	cmd.exe	PING.EXE
PID 1592 wrote to memory of 1828	1592	cmd.exe	PING.EXE

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeExplorer.EXE

pid	process
108	iexplore.exe
1900	iexplore.exe
1508	iexplore.exe
1508	iexplore.exe
1508	iexplore.exe
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exe

pid process

656 powershell.exe
1276 Explorer.EXE
1592 cmd.exe

pid	process
656	powershell.exe
1276	Explorer.EXE
1592	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of SendNotifyMessage
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: MapViewOfSection
PID:1276
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HEME.26904.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HEME.26904.exe"
  2⤵
  PID:1124
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\CAF07543-A1A9-8CB6-7B9E-6580DFB269B4\\\Clicring'));if(!window.flag)close()</script>"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\CAF07543-A1A9-8CB6-7B9E-6580DFB269B4").comsclen))
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    - Suspicious behavior: MapViewOfSection
    PID:656
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wipuyylg\wipuyylg.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES64DA.tmp" "c:\Users\Admin\AppData\Local\Temp\wipuyylg\CSC5F351E5616E4BE7861BDF1C6AC5BE76.TMP"
        5⤵
        
        PID:1080
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\giocxs2h\giocxs2h.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6547.tmp" "c:\Users\Admin\AppData\Local\Temp\giocxs2h\CSC559B2555E0FF4BA8BA3C277DE53AD50.TMP"
        5⤵
        
        PID:2000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Kryptik.HEME.26904.exe"
  2⤵
  - Deletes itself
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: MapViewOfSection
  PID:1592
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Runs ping.exe
    PID:1828

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
PID:108
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:108 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  PID:1516
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:108 CREDAT:668677 /prefetch:2
  2⤵
  PID:1568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
PID:1900
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  PID:1944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
PID:1508
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  PID:1388
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:4076548 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Checks whether UAC is enabled
  PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\j8hu3ld\imagestore.dat

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\j8hu3ld\imagestore.dat

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\j8hu3ld\imagestore.dat

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D5Z3PYL2\favicon[1].ico

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES64DA.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6547.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\giocxs2h\giocxs2h.dll

Download Submit
C:\Users\Admin\AppData\Local\Temp\wipuyylg\wipuyylg.dll

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CS7J22CN.txt

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\giocxs2h\CSC559B2555E0FF4BA8BA3C277DE53AD50.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\giocxs2h\giocxs2h.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\giocxs2h\giocxs2h.cmdline

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wipuyylg\CSC5F351E5616E4BE7861BDF1C6AC5BE76.TMP

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wipuyylg\wipuyylg.0.cs

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wipuyylg\wipuyylg.cmdline

Download Submit
memory/540-9-0x0000000000000000-mapping.dmp

Download
memory/656-13-0x0000000000000000-mapping.dmp

Download
memory/1080-17-0x0000000000000000-mapping.dmp

Download
memory/1124-0-0x0000000001C79000-0x0000000001C7A000-memory.dmp

Filesize
4KB

Download
memory/1124-1-0x0000000001D60000-0x0000000001D71000-memory.dmp

Filesize
68KB

Download
memory/1388-6-0x0000000000000000-mapping.dmp

Download
memory/1388-12-0x0000000006A30000-0x0000000006A53000-memory.dmp

Filesize
140KB

Download
memory/1476-14-0x0000000000000000-mapping.dmp

Download
memory/1516-3-0x00000000068E0000-0x0000000006903000-memory.dmp

Filesize
140KB

Download
memory/1516-2-0x0000000000000000-mapping.dmp

Download
memory/1592-28-0x0000000000000000-mapping.dmp

Download
memory/1592-29-0x000007FFFFFDF000-mapping.dmp

Download
memory/1828-30-0x0000000000000000-mapping.dmp

Download
memory/1828-31-0x000007FFFFFD6000-mapping.dmp

Download
memory/1928-21-0x0000000000000000-mapping.dmp

Download
memory/1944-4-0x0000000000000000-mapping.dmp

Download
memory/2000-24-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads